What are the implications of Angularjs sandbox escaping?

Question

I've read that AngularJs uses some kind of sandbox to prevent running arbitrary expressions inside {{ }} curly brackets. There are several examples on how to escape that sandbox, depending on Angular version. For example, in version 1.4.0 - 1.4.9, the following code snippet works if I paste it into the code.

{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

What I don't understand is why it is such a big deal? The example above works only if the expression was already in html. Why would I want to escape sandbox instead of just injecting <'script> using regular XSS?

{{<script>alert(1)</script>}}

How does this sandbox escaping thing relates to $sanitize and $sce?

Answer 1

A good answer regarding difference between $sce and $sanitize can be found here: When to use $sanitize and $sce ? What's differences between them? I recommend for you to read the documents as well.

You also have some good examples here: https://docs.angularjs.org/api/ngSanitize/service/$sanitize

Update: You can see this interesting blog about sandbox escaping in AngualrJS. http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html At the end there are some examples for the exploit, also to AngularJS 1.5X versions.

I also found this article, that may shed some more light on sandboxing and sanitization. https://www.cigital.com/blog/angularjs-sandbox/

Specifically, all those XSS attacks are more relevant when mixing server side and clide templates (server side rendering). As mentioned in the article, "Server-side techniques for preventing XSS encode special characters like angle brackets, but will not encode curly braces which indicate an AngularJS expression" so probably that's why putting tags won't help, and finding a way to break Angular's sandbox was a "big deal".