This lab uses AngularJS in an unusual way where the
$eval function is not available and you will be unable to use any strings in AngularJS.
To solve the lab, perform a cross-site scripting attack that escapes the sandbox and executes the
alert function without using the
Visit the following URL, replacing
your-lab-id with your lab ID:
The exploit uses
toString() to create a string without using quotes. It then gets the
String prototype and overwrites the
charAt function for every string. This effectively breaks the AngularJS sandbox. Next, an array is passed to the
orderBy filter. We then set the argument for the filter by again using
toString() to create a string and the
String constructor property. Finally, we use the
fromCharCode method generate our payload by converting character codes into the string
x=alert(1). Because the
charAt function has been overwritten, AngularJS will allow this code where normally it would not.