AngularJS-based server-side expression injection vulnerabilities. These vulnerabilities are caused when client-side Angular templates are dynamically generated on the server-side based on user-input. Angular considers these templates as trusted and hence evaluates any expression contained within such a template.

  1. Angular 1.1.5
  2. Angular 1.2.0
  3. Angular 1.2.18
  4. Angular 1.2.19
  5. Angular 1.2.24
  6. Angular 1.6.0

Version-agnostic AngularJS interpolation sinks

  1. Vanilla interpolation

    Server-side injection into AngularJS interpolation template

  2. Custom start and end symbols

    Interpolation symbols, by default {{}}, are replaced with [[]].

  3. Custom start and end symbols without surrounding symbols

    Interpolation symbols, by default {{}}, are replaced with [[]].

  4. Parameter reflection into body, no symbol escaping

    The parameter is reflected into the page as-is; no server-side filtering is performed apart from '<' and '>'.

  5. POST parameter reflection into body, no symbol escaping

    The POST parameter is reflected into the page as-is; no server-side filtering is performed apart from '<' and '>'.

  6. Parameter reflection into body, no HTML entity symbol escaping

    The parameter is reflected into the page, with the default interpolation symbols properly escaped with backslashes. However, the equivalent HTML entities are not escaped, so AngularJS can still execute the payload.

  7. Parameter reflection into body, no HTML entity symbol escaping, with custom symbols

    The parameter is reflected into the page, with alternate interpolation symbols properly escaped with backslashes. However, the equivalent HTML entities are not escaped, so AngularJS can still execute the payload.

  8. ng-attribute interpolation

    Server-side injection into an ng-attribute

  9. Non-ng-attribute interpolation

    Server-side injection into interpolation template within a regular attribute

  10. Non-ng-attribute reflection

    Server-side injection into a regular attribute

  11. Form value that is fed into $parse.

    Injection into $parse via a client-side form processing function.

  12. Cookie value that is fed into $parse.

    Injection into $parse via a cookie value.

  13. Storage value that is fed into $parse.

    Injection into $parse via a localStorage value.

  14. Message value that is fed into $parse.

    Injection into $parse via a postMessage value.