AngularJS-based server-side expression injection vulnerabilities. These vulnerabilities are caused when client-side Angular templates are dynamically generated on the server-side based on user-input. Angular considers these templates as trusted and hence evaluates any expression contained within such a template.

  1. Angular 1.1.5
  2. Angular 1.2.0
  3. Angular 1.2.18
  4. Angular 1.2.19
  5. Angular 1.2.24

Version-agnostic AngularJS interpolation sinks

  1. Vanilla interpolation

    Server-side injection into AngularJS interpolation template

  2. Custom start and end symbols

    Interpolation symbols, by default {{}}, are replaced with [[]].

  3. Parameter reflection into body, no symbol escaping

    The parameter is reflected into the page as-is; no server-side filtering is performed apart from '<' and '>'.

  4. Parameter reflection into body, no HTML entity symbol escaping

    The parameter is reflected into the page, with the default interpolation symbols properly escaped with backslashes. However, the equivalent HTML entities are not escaped, so AngularJS can still execute the payload.

  5. Parameter reflection into body, no HTML entity symbol escaping, with custom symbols

    The parameter is reflected into the page, with alternate interpolation symbols properly escaped with backslashes. However, the equivalent HTML entities are not escaped, so AngularJS can still execute the payload.

  6. ng-attribute interpolation

    Server-side injection into an ng-attribute

  7. Non-ng-attribute interpolation

    Server-side injection into interpolation template within a regular attribute

  8. Non-ng-attribute reflection

    Server-side injection into a regular attribute

  9. Parameter reflection into non-ng-attribute

    Server-side injection into a regular attribute