DOM based AngularJS sandbox escapes

# Gareth Heyes (7 years ago)

I thought I'd share my AngularJS talk because it has a few js bugs/features. Chrome allows you to call lookupGetter in the context of window when called as a general function not as a member function.

There are also a load of getters now available on window such as event which leads to a sandbox escape.

Firefox allows you use lookGetter to get caller no other browser does this. There are many more quirks explained in the talk and blog.

Talk: youtu.be/jlSI5aVTEIg?a Blog: blog.portswigger.net/2017/05/dom-based-angularjs-sandbox-escapes.html Slides: portswigger.net/knowledgebase/papers/DOMAngularSandboxEscapes.pdf

Hi all

I thought I'd share my AngularJS talk because it has a few js bugs/features. Chrome allows you to call __lookupGetter__ in the context of window when called as a general function not as a member function. 

There are also a load of getters now available on window such as event which leads to a sandbox escape.

Firefox allows you use __lookGetter__ to get caller no other browser does this. There are many more quirks explained in the talk and blog.

Talk: http://youtu.be/jlSI5aVTEIg?a
Blog: http://blog.portswigger.net/2017/05/dom-based-angularjs-sandbox-escapes.html
Slides: https://portswigger.net/knowledgebase/papers/DOMAngularSandboxEscapes.pdf

Cheers
Gareth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20170830/f78b2b07/attachment.html>

# T.J. Crowder (7 years ago)

On Wed, Aug 30, 2017 at 11:36 AM, Gareth Heyes <gareth.heyes at portswigger.net> wrote:

I thought I'd share my AngularJS talk because it has a few js bugs/features.

I recommend opening proper issues (if they aren't already reported) in the appropriate locations (e.g., the V8 issue list, Chromium issue list, Bugzilla, ...).

-- T.J. Crowder

On Wed, Aug 30, 2017 at 11:36 AM, Gareth Heyes
<gareth.heyes at portswigger.net> wrote:
>
> I thought I'd share my AngularJS talk because it has a few js
bugs/features.

I recommend opening proper issues (if they aren't already reported) in the
appropriate locations (e.g., the [V8 issue list][1], [Chromium issue
list][2], [Bugzilla][3], ...).

-- T.J. Crowder


[1]: https://bugs.chromium.org/p/v8/issues/list
[2]: https://bugs.chromium.org/p/chromium/issues/list
[3]: https://bugzilla.mozilla.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20170830/b44edcbd/attachment.html>