xss payload not executing in browser

Question

I am doing penetration testing for a .net MVC application. The application uses Javascript frameworks/libraries like Jquery and angular JS.

There is an input field on the web page where I'm able to insert <script>alert(1)</script>. The web application sends the input back through AJAX response (json response). I can find my input reflected as it is on the web page but the javascript payload that I have given to test XSS does not execute. I've tested it in google chrome and IE.

I've checked the AJAX response and there is no output encoding present.

Although the header X-XSS-Protection:1; mode=block is present, I don't see any error in Google chrome console regarding blocking of unsafe script (we usually get this error if chrome blocks execution of unsafe javascript).

I checked the following url to see if angual-js does output encoding/escaping by-default. https://docs.angularjs.org/guide/security but don't get it fully.

When I inspect the element ie my input( <script>alert(1)</script> ), I get the following thing:

<textarea rows="3" ng-model="abc" maxlength="500" placeholder="xyz" ng-readonly="abcd>1" input-restrictor="" class="ng-pristine ng-valid ng-valid-maxlength ng-not-empty ng-touched" aria-multiline="true" aria-invalid="false" readonly="readonly"></textarea>

Any insight why my JS payload is not executing in the browser?

Answer 1

Finally I got the answer. AngularJS does output encoding before rendering the content. our payload -

<script>alert('xss')</script>

becomes something like this as shown in image. Browser treats it as plain text instead of javascript and hence it does not execute.

You can see the output encoding only when you inspect the element and do right click and edit as HTML. I have also written a more detailed blog post here https://medium.com/@nav7neeet/angular-js-and-xss-458eea91f3a5