This repository has been archived by the owner on Jan 10, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 242
/
index.html
152 lines (151 loc) · 5.24 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
<!DOCTYPE html>
<html>
<head>
<title>Firing Range - Angular Test Cases </title>
<style>
.details {
font-size: small;
}
</style>
</head>
<body>
<div class="test">
<p>
AngularJS-based server-side expression injection vulnerabilities. These
vulnerabilities are caused when client-side Angular templates are
dynamically generated on the server-side based on user-input. Angular
considers these templates as trusted and hence evaluates any expression
contained within such a template.
</p>
<ol>
<li>
<a href="/angular/angular_body/1.1.5?q=test">Angular 1.1.5</a>
</li>
<li>
<a href="/angular/angular_body/1.2.0?q=test">Angular 1.2.0</a>
</li>
<li>
<a href="/angular/angular_body/1.2.18?q=test">Angular 1.2.18</a>
</li>
<li>
<a href="/angular/angular_body/1.2.19?q=test">Angular 1.2.19</a>
</li>
<li>
<a href="/angular/angular_body/1.2.24?q=test">Angular 1.2.24</a>
</li>
<li>
<a href="/angular/angular_body/1.6.0?q=test">Angular 1.6.0</a>
</li>
</ol>
<h3>Version-agnostic AngularJS interpolation sinks</h3>
<ol>
<li>
<a href="/angular/angular_body/1.4.0?q=test">Vanilla interpolation</a>
<p>Server-side injection into AngularJS interpolation template</p>
</li>
<li>
<a href="/angular/angular_body_alt_symbols/1.4.0?q=test">
Custom start and end symbols
</a>
<p>
Interpolation symbols, by default <code>{{}}</code>, are replaced
with <code>[[]]</code>.
</p>
<li>
<a href="/angular/angular_body_alt_symbols_raw/1.6.0?q=test">
Custom start and end symbols without surrounding symbols
</a>
<p>
Interpolation symbols, by default <code>{{}}</code>, are replaced
with <code>[[]]</code>.
</p>
<li>
<a href="/angular/angular_body_raw/1.4.0?q=test">
Parameter reflection into body, no symbol escaping
</a>
<p>
The parameter is reflected into the page as-is; no server-side
filtering is performed apart from '<' and '>'.
</p>
</li>
<li>
<a href="/angular/angular_body_raw_post/1.6.0">
POST parameter reflection into body, no symbol escaping
</a>
<p>
The POST parameter is reflected into the page as-is; no server-side filtering is
performed apart from '<' and '>'.
</p>
</li>
<li>
<a href="/angular/angular_body_raw_escaped/1.4.0?q=test">
Parameter reflection into body, no HTML entity symbol escaping
</a>
<p>
The parameter is reflected into the page, with the default
interpolation symbols properly escaped with backslashes. However,
the equivalent HTML entities are not escaped, so AngularJS can still
execute the payload.
</p>
</li>
<li>
<a href="/angular/angular_body_raw_escaped_alt_symbols/1.4.0?q=test">
Parameter reflection into body, no HTML entity symbol escaping,
with custom symbols
</a>
<p>
The parameter is reflected into the page, with alternate
interpolation symbols properly escaped with backslashes. However,
the equivalent HTML entities are not escaped, so AngularJS can still
execute the payload.
</p>
</li>
<li>
<a href="/angular/angular_body_attribute_ng/1.4.0?q=test">
ng-attribute interpolation
</a>
<p>Server-side injection into an ng-attribute</p>
</li>
<li>
<a href="/angular/angular_body_attribute_non_ng/1.4.0?q=test">
Non-ng-attribute interpolation
</a>
<p>
Server-side injection into interpolation template within a regular
attribute
</p>
</li>
<li>
<a href="/angular/angular_body_attribute_non_ng_raw/1.4.0?q=test">
Non-ng-attribute reflection
</a>
<p>Server-side injection into a regular attribute</p>
</li>
<li>
<a href="/angular/angular_form_parse/1.6.0">
Form value that is fed into $parse.
</a>
<p>Injection into $parse via a client-side form processing function.</p>
</li>
<li>
<a href="/angular/angular_cookie_parse/1.6.0">
Cookie value that is fed into $parse.
</a>
<p>Injection into $parse via a cookie value.</p>
</li>
<li>
<a href="/angular/angular_storage_parse/1.6.0">
Storage value that is fed into $parse.
</a>
<p>Injection into $parse via a localStorage value.</p>
</li>
<li>
<a href="/angular/angular_post_message_parse/1.6.0">
Message value that is fed into $parse.
</a>
<p>Injection into $parse via a postMessage value.</p>
</li>
</ol>
</div>
</body>
</html>