0

I am trying to exploit the XSS Vurnablity in AngularJS by a simple example:

SNIPPET 

<html>
<head>

    <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.5/angular.min.js"></script>

    <script>
        //app declaration
        var app = angular.module('myApp', []);

        //controller declaration
        app.controller('myCtrl', function ($scope) {
            $scope.name = 9;
        });
    </script>

</head>

<body ng-app="myApp" ng-controller="myCtrl">

    <input type="text" ng-model="name">

    <!-- sanitized html --> 
    <p ng-bind="name"></p>
    <hr/>
    <img src="apple.png" /> 

</body>

</html>

Result:

enter image description here

Expectation:

I expected 2 apples to be there. First by ng-bind and second by normal image (as per html). I can see second apple image (as in same folder as my html file), but why not first? Though, I can see the link in executed code?

Deadpool
  • 7,811
  • 9
  • 44
  • 88
  • model is being treated as string. use trustAsHTML while you set to p tag – NiRUS Feb 13 '17 at 12:22
  • I have to example how normal angular site can be vurnarable. If I add usetrustAsHTML, it will show I allowed the injection to take place. I will use it only when I am confirmed user can input anything here ... – Deadpool Feb 13 '17 at 12:23
  • What is your point? You are trying to show a vulnerability that simply isn't there. – Camo Feb 13 '17 at 12:27
  • Angular is not allowing img tag to be injected, treated as a text which is how it should work. If you want to convert simple text to html then you have to explicitly allow it to trust. What exactly are you looking for? – NiRUS Feb 13 '17 at 12:28

1 Answers1

0

ng-bind automatically escape the html code.

If you want to show the result without sanitized then use ng-bind-html.

You can find the further details here in the linked doc:

https://docs.angularjs.org/api/ngSanitize/service/$sanitize

Splaktar
  • 5,506
  • 5
  • 43
  • 74
smali
  • 4,687
  • 7
  • 38
  • 60