🕵️‍♂️

Understanding AngularJS Cross-Site Scripting Exploit

May 19, 2025

DOM-Based Cross-Site Scripting Attack Exploitation using AngularJS

Introduction

  • Exploitation of a vulnerability in AngularJS
  • AngularJS: Deprecated JavaScript framework replaced by Angular (TypeScript framework)
  • Objective: Understanding the solution and mechanics of the vulnerability

AngularJS Vulnerability

  • JavaScript Frameworks evaluate content within curly brackets
  • Injection vulnerabilities detected by inserting JavaScript expressions like {1+1}
  • Expected result: Display of {1+1}; Actual result: Evaluates to 2
  • Challenges: Execution of JavaScript functions is restricted

Payload Breakdown

  • Use of { $eval.constructor('alert')() } to execute JavaScript
  • $eval and constructor exploit AngularJS's handling of JavaScript

Understanding the Exploit

AngularJS and JavaScript Basics

  • AngularJS uses directives with ng- prefix (e.g., ng-app, ng-controller)
  • JavaScript Expressions can be executed through AngularJS scope
  • $eval is a function in AngularJS context

JavaScript Function Constructor

  • Function Constructor: function FunctionName() { /* code */ }
  • Function Constructor allows dynamic function creation (security risk)
  • In JavaScript: let func = new Function('alert("Hello")'); func();

AngularJS Scope and Prototype

  • Inherited properties and functions from AngularJS's prototype
  • Accessing scope with angular.element(document.getElementById('test')).scope()
  • $eval and other functions accessible through prototype

The Role of Constructors

  • $.eval.constructor returns JavaScript function constructor
  • Allows bypassing function execution restrictions

Key Takeaways

  • Importance of understanding framework and JavaScript core features for exploit development
  • Security researchers must be familiar with multiple frameworks
  • Exploit demonstrates bypassing AngularJS security features

Conclusion

  • Understanding the mechanics behind the payload is crucial
  • Being a security researcher involves understanding beyond the basics
  • A deeper dive into AngularJS and JavaScript reveals nuances crucial for security analysis

This guide captures the key points and deeper insights needed to understand and conduct a DOM-based cross-site scripting attack using the AngularJS framework. The focus is on understanding the exploit's mechanics rather than merely implementing it.

Full transcript