11) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

Locate possible injection points

As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

and we can see <body ng-app> so the app is using angularjs so we can execute javascript expressions within double curly braces {{}}.

Angular js

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the ng-app attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces. For example, if your input is being reflected inside the body of the HTML and the body is defined with ng-app: <body ng-app>

{{$on.constructor('alert(1)')()}}
{{constructor.constructor('alert(1)')()}}

and we have solved the lab

Previous10) DOM XSS in document.write sink using source location.search inside a select element Next12) Reflected DOM XSS

Last updated 1 year ago

Was this helpful?