Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
Key Takeaways
The video demonstrates a bypass of a JavaScript sandbox in AngularJS version 1.4.7, which was previously fixed, and prepares for a different bypass by testing the old bypass on the new version. The bypass is achieved through client-side template injection with AngularJS, using a clever exploit that overwrites the prototype of the string constructor's charAt function with the concat function, allowing for arbitrary code execution.
Full Transcript
in the last video we have looked at a very simple JavaScript sandbox Escape by abusing The Constructor property of the scope object to get an instance of the function Constructor which we then use to generate a function with alert and execute it in this video we will have a look at a different sandbox bypass for the version 1.4.7 a lot of internal stuff has changed between the old version 1.0.8 uh and this one but people will figure it out again credit for this bypass goes entirely to all those amazing researchers who looked at angularjs in the past and the bypass I'm showing here was found by GTH haes so let's move on to this new angularjs version and try to use our old bypass and let's see what happens hm no alert let's have a look at the console error referencing function uh notice the capital written function that refers to the function Constructor you know that we used to call Alert in angularjs expression is disallowed okay crazy angular refuses to work with the function Constructor that we got by following the Constructor from the scope in the St Trace we can also find the function where this error is coming from it is coming from ensure safe object click on it to see the function this is it and here's quite a clever check if the object coming in as a parameter obj is the function Constructor I've briefly mentioned that the highest Constructor in JavaScript is the function Constructor this means that if you try to get the Constructor of the function Constructor you will end up with the function Constructor again so when obj is already a function Constructor The Constructor of that will be again the function Constructor so this if will evaluate to true and throw this error and as you can see I've also modified this angularjs code and added debugger statements as breakpoints in multiple places this will stop the execution when you have the developer console open now I will take the sandbox bypass from gareus and we will step through the JavaScript code to see how it works and why it works but that might get a bit freaky so we will start by looking at this expression and try to get a first understanding on what it tries to achieve and in the following video we will then see how this actually works inside of angularjs first of all I will modify this a bit and instead of array. join I will use string. concat I think that's a bit less confusing I will also modify the actual payload a little bit to make it more clear and also add a break point into it before we call alert so as you can see this expression has actually two parts the first part with some weird prototype stuff and an assignment and separated um like JavaScript with a semicolon is another expression with an dollar evil I hope you remember the first video where I explained that dollar eval is just evaluating an angularjs expression it's equivalent to double curly braces so this whole thing is basically an angularjs expression with another expression evaluated inside let's have a look at the first part so it somehow does something with chared chared is a standard string function it Returns the character at the index given as parameter so chared zero Returns the character a and Char at one the S but what about that Constructor prototype stuff so the Expressions start with a string and reference the Constructor of that which obviously gives us access to the string Constructor no that this is not a dangerous object like the fun function Constructor I mean what harm can a string Constructor do that only allows us to create new strings from that string Constructor it now references prototype and prototype is fancy JavaScript every string we use is a descendant from the string object and prototype can be used to reference the actual function or method that is inherited to all string objects so we are now referencing the chared function that all all other strings inherit and now the exploit wants to assign something different to that method what the it wants to assign the conad function so let's see what conad does string b. conad is also a string function or method it concatenates another string so for example I pend the string CCC Tob which returns bccc so now let's overwrite the Prototype chared with concat and now the string ASD do chared suddenly Returns the concat function instead of char it what the hell and when we now perform the Char Ed like we did at the beginning we don't get the first character uh we append zero to the string so that first part of the expression attempts to completely destroy how string chared function works if that is successful you can imagine very very weird things happen if something is relying on chared and if we look at where our first breakpoint hit angularjs uses chared to do something so what will happen find out on the next episode of this series to step through the actual angularjs exploit and see how it screws the internal state of [Music] angularjs
Original Description
Testing the old bypass from version 1.0.8 on a new version 1.4.7 where it's fixed, to prepare for a different bypass.
mario heiderich @0x6d6172696f (https://cure53.de/)
gareth heyes @garethheyes
XSS without HTML: Client-Side Template Injection with AngularJS
http://blog.portswigger.net/2016/01/x...
An Abusive Relationship with AngularJS
https://vimeo.com/165951806
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#WebSecurity
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 35 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
▶
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
![[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F](https://i.ytimg.com/vi/2GVi8_9u5TY/mqdefault.jpg)
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
Related AI Lessons
⚡
⚡
⚡
⚡
Had my Frontend Developer interview with Capgemini (Application Developer) today, and I wanted to…
Medium · JavaScript
10 Frontend Developer Tools to Boost Productivity in 2026
Medium · Programming
10 Frontend Developer Tools to Boost Productivity in 2026
Medium · JavaScript
The US Frontend Engineer Market in 2026: A Data-Driven Reality Check (and the Bias That Stops Us Seeing It)
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI