In this post, we’re going to be solving the lab: “DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded”.
In this case, we’re told that the website uses Angular, and furthermore, there’s a DOM based XSS in the search functionality. To complete the lab, we need to execute the alert function.
First of all, let’s access the lab:
Once accessed, we test the search functionality:
At first glance, nothing looks unusual. However, if we look at the source code:
We can see that in the body tag, an attribute is set which is ng-app. Ng-app is a directive that defines an Angular root element, and therefore defines where the Angular application begins.
Of course, by defining in the HTML body tag that the Angular application starts, any Angular statement added inside the code within it will be interpreted. And thanks to the search functionality, we can control a parameter that will be placed inside the part defined as the Angular application.
Knowing this, we’ll use the payload {{constructor.constructor('alert(1)')()}}.
Let’s explain the payload:
- The double curly braces are used to treat it as an Angular expression.
- The
constructor.constructoris basically interpreted the same as a function, it’s as if we were declaring a function and inside it we placed the code that will be executed, well here it’s exactly the same, inside the parentheses, we place what we want to be executed, in this case analert(1).
Knowing this, we send the mentioned payload, since remember that this will be reflected inside the part that is declared as Angular thanks to ng-app:
And therefore, it will be interpreted as we explained and will execute:
This way, we successfully solve the lab:
Some references: