Burp Suite User Forum

Login to post

Possible error in "AngularJS sandbox"

Addi | Last updated: Jan 13, 2022 04:09PM UTC

In "How does an AngularJS sandbox escape work?" it is indicated that "single characters are always less than multiple characters". I maybe misunderstood the sentence, but this is false for example the example given 'x9=9a9l9e9r9t9(919)' is inferior to 'z', which by the way is necessary for isIdent('x9=9a9l9e9r9t9(919)') to be true. So is it an error or misunderstanding on my part?

Uthman, PortSwigger Agent | Last updated: Jan 14, 2022 10:15AM UTC

Hi Addi,

Unfortunately, we are unable to provide personal support or tutoring to Academy users, as we prefer to improve the experience for our entire userbase by focusing on expanding and refining our public content.

The learning materials (https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox#:~:text=How%20does%20an%20AngularJS%20sandbox%20escape%20work%3F) mention that isIdent compares a single character against multiple characters. In the example, "As single characters are always less than multiple characters, the isIdent() function always returns true".

Looking at the function, the comparison is always made against a single character (e.g. 'a' or 'z'). So that explains why the example returns true. Can you share some more detail on what the issue is, please?

You need to Log in to post a reply. Or register here, for free.