Lab: Reflected XSS with AngularJS sandbox escape and CSP
This lab uses CSP and AngularJS.
To solve the lab, perform a cross-site scripting attack that bypasses CSP, escapes the AngularJS sandbox, and alerts
Launching labs may take some time, please hold on while we build your environment.
Go to the exploit server and paste the following code, replacing
your-lab-id with your lab ID:
Click “Store” and “Deliver exploit to victim”.
The exploit uses the
ng-focus event in AngularJS to create a focus event that bypasses CSP. It also uses
$event, which is an AngularJS variable that references the event object. The
path property is specific to Chrome and contains an array of elements that triggered the event. The last element in the array contains the
orderBy filter. The colon signifies an argument that is being sent to the filter. In the argument, instead of calling the
alert function directly, we assign it to the variable
z. The function will only be called when the
orderBy operation reaches the
window object in the
$event.path array. This means it can be called in the scope of the window without an explicit reference to the
window object, effectively bypassing AngularJS’s
Credit: Source link