SlideShare a Scribd company logo

Are you botching the security of your AngularJS applications? (DevFest 2016)

ā€¢
ā€¢
P
Philippe De Ryck

If you make a list of popular JavaScript MVC frameworks, AngularJS is probably at the top of the list. Developers around the world are crazy about the Angular way of doing things, and love how easy it is to write AngularJS applications. However, few people know that AngularJS packs a lot security features, right out of the box. Unfortunately, because many developers are not aware of these security features, they are often unintentionally circumvented, or not used to their full potential. For example, think about common advice on Stack Overflow to turn off the protection against cross-site scripting (XSS) attacks, just so you can directly bind HTML data to a variable. In this session, you will learn how to leverage AngularJS' security features to their full potential. Specifically, you will learn how AngularJS applies Strict Contextual Escaping (SCE) against XSS attacks, and how to relax that protection in a safe way (instead of turning it off). We also cover the advanced Content Security Policy (CSP). We mainly focus on AngularJS 1.x, but also relate the concepts to AngularJS 2 where relevant.

1 of 32
Download to read offline
@PhilippeDeRyck ARE YOU BOTCHING THE SECURITY OF YOUR ANGULARJS APPLICATIONS? Philippe De Ryck DevFest 2016, Brussels, Belgium https://www.websec.be
@PhilippeDeRyck WHAT IS THE BIGGEST THREAT TO AN ANGULARJS APPLICATION? DEVELOPERS (THAT ARE NOT SECURITY-AWARE)
@PhilippeDeRyck KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS Ā§ My goal is to help you build secure web applications āˆ’ In-house training programs at various companies āˆ’ Hosted web security training courses at DistriNet (KU Leuven) āˆ’ Talks at various developer conferences āˆ’ Slides, videos and blog posts on https://www.websec.be Ā§ I have a broad security expertise, with a focus on Web Security āˆ’ PhD in client-side web security āˆ’ Main author of the Primer on client-side web security āˆ’ Part of the organizing committee of the SecAppDev course Ā§ Iā€™m also a chef, so demoā€™s will be food-related!
@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦
@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦ https://www.youtube.com/watch?v=K0noqLisW_c
@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦ Ā§ The real problem is that injected content runs in your context āˆ’ Complete access to your client-side data and code āˆ’ Ability to use any permissions the user has granted to your application āˆ’ The full power of XHR to contact your backend, in the name of the user Ā§ XSS attacks are very powerful, and unfortunately very common āˆ’ XSS is ranked 3rd in the OWASP top 10 and 4th in the SANS top 25
@PhilippeDeRyck http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code <div><h3> Your search for ā€œ<i>Crazy Cats<script>alert(ā€œMiauw!ā€)</script></i>ā€ returned 5 results </h3></div> <div><h3> Your search for ā€œ$queryā€ returned $count results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data <div><h3> Your search for ā€œencode($query)ā€ returned $count results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data <div><h3> Your search for ā€œ<i>Crazy Cats&lt;script&gt;alert(ā€œMiauw!ā€)&lt;/script&gt;</i> returned 5 results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data Ā§ The escaping process is context-sensitive āˆ’ HTML body <h1>DATA</h1> āˆ’ HTML attributes <div id=ā€˜DATAā€™> āˆ’ Stylesheet context body { background-color: DATA;} āˆ’ Script context alert(ā€œDATAā€);
@PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS <script src=ā€œā€¦/angular.jsā€></script> ā€¦ <div><h3> Your search for ā€œ<i>encode($query)</i>ā€ returned $count results </h3></div>
@PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS Ā§ But is that even possible in an AngularJS environment? <div class=ā€ng-appā€> {{constructor.constructor(ā€˜alert(1)ā€™)}} </div> <div class="ng-app"> <b class="ng-style: {x:constructor.constructor('alert(1)')()};" /> </div>
@PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS Ā§ But is that even possible in an AngularJS environment? āˆ’ No Ā§ AngularJS attempted to prevent this with the expression sandbox āˆ’ Prevents direct access to global JavaScript functionality āˆ’ Impossible to lock down completely, so only available in AngularJS 1.2 - 1.6 āˆ’ Angular2 offers offline template compilation
@PhilippeDeRyck RULE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA ON THE SERVER Provide the data separately to the client-side AngularJS application
@PhilippeDeRyck AND WHAT IF WE DO IT THE ANGULAR WAY? Ā§ Remember the confusion between data and code? āˆ’ Templates and JavaScript code are considered the applicationā€™s code āˆ’ Data fetched from APIs is considered data Ā§ AngularJS knows which parts are untrusted āˆ’ And automatically applies Strict Contextual Escaping (SCE) āˆ’ SCE applies to all data bindings with ng-bind or {{ }} āˆ’ SCE is on-by-default since version 1.2 Ā§ But what if we actually want to allow some HTML in the userā€™s data?
@PhilippeDeRyck
@PhilippeDeRyck http://stackoverflow.com/questions/9381926/angularjs-insert-html-into-view/25513186#25513186
@PhilippeDeRyck ALL IS GREAT ā€¦ UNTIL YOU GET A CALL ONE EVENING What, no way! What happened? Did they steal our data? No, itā€™s worse! Much worse! They loaded the EmberJS library! Weā€™ve been hacked! Then what?!
@PhilippeDeRyck LETā€™S INVESTIGATE THE STACKOVERFLOW ADVICE ā€¦ https://docs.angularjs.org/api/ng/service/$sce https://docs.angularjs.org/error/$sce/unsafe
@PhilippeDeRyck LETTING ANGULARJS 1.X DO THE WORK FOR YOU Ā§ Simple data will be encoded for the right context with SCE Ā§ AngularJS will not allow you to directly use untrusted data Ā§ Sanitizing untrusted data makes it safe to use Ā§ Static HTML snippets can be marked as safe if absolutely necessary <p>{{var}}</p>var = ā€œtest<script>alert(1)</script>ā€ <p ng-bind-html=ā€œvarā€></p><input ng-model=ā€œvarā€ /> <input ng-model=ā€œvarā€ /> angular.module(ā€œā€¦ā€, [ā€˜ngSanitizeā€™] <p ng-bind-html=ā€œvarā€></p> <p ng-bind-html=ā€œvarā€></p>var = $sce.trustAsHtml(ā€œ<b>test</b>)ā€
@PhilippeDeRyck AND ITā€™S EVEN BETTER IN ANGULARJS 2.X Ā§ All data is sanitized by default Ā§ Static HTML snippets can be marked as safe if absolutely necessary <input ng-model=ā€œvarā€ /> <p>{{var}}</p> <p>{{var}}</p>var = domSanitizer.bypassSecurityTrustHtml(ā€œ<b>test</b>)ā€
@PhilippeDeRyck http://stackoverflow.com/a/25513186
@PhilippeDeRyck RULE #2 DO NOT MARK UNTRUSTED DATA AS SAFE Use the built-in sanitizer to remove dangerous features from the untrusted data
@PhilippeDeRyck XSS VULNERABILITIES WILL POP UP EVENTUALLY Ā§ You can deploy a second line of defense with Content Security Policy āˆ’ Server-driven browser-enforced security policy āˆ’ In case there is an XSS attack, the script will be severely constrained or even blocked āˆ’ CSP evolved to an extensive and powerful browser security policy Ā§ CSP locks down what can happen in a web page āˆ’ Refuses to execute inline script and style āˆ’ Only loads external resources if they are explicitly whitelisted Ā§ CSP has severe incompatibility problems with traditional web applications āˆ’ But is easy to deploy on an AngularJS application
@PhilippeDeRyck A QUICK OVERVIEW OF CSPā€™S DIRECTIVES Ā§ CSP has directives for all kinds of resources āˆ’ default-src applies to any resource, if thereā€™s no more specific directive āˆ’ img-src, script-src, style-src, ā€¦ Ā§ A directive can have numerous valid values āˆ’ Keywords: ā€˜noneā€™, ā€˜selfā€™, * āˆ’ Expressions: https://websec.be, https:, https://websec.be/jquery.js, *.websec.be Ā§ If absolutely necessary, you can re-enable inline scripts, styles and eval āˆ’ By adding the ā€˜unsafe-inlineā€™ or ā€˜unsafe-evalā€™ keywords to the directives
@PhilippeDeRyck BROWSER SUPPORT FOR CSP LEVEL 1 IS AWESOME http://caniuse.com/#search=csp
@PhilippeDeRyck WRITING SANE CSP POLICIES Ā§ Deploy CSP using the Content-Security-Policy response header āˆ’ <meta> tags are a good alternative if headers are too difficult to use Ā§ Make your policy as secure as possible āˆ’ Avoid ā€˜unsafe-inlineā€™ and ā€˜unsafe-evalā€™ , especially for scripts āˆ’ Be specific about which files you want to include to avoid bypass attacks āˆ’ Define all important directives to avoid override attacks with <meta> tags Ā§ Use available tools and features to make your life easier āˆ’ Googleā€™s CSP Evaluator āˆ’ Report-uri.io for policy generation & report collection https://csp-evaluator.withgoogle.com/ https://report-uri.io/
@PhilippeDeRyck RULE #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP Make sure your apps are compatible, and lock down your CSP policy
@PhilippeDeRyck THE FOCUS HERE TODAY WAS PURELY ON ANGULARJS Ā§ But thereā€™s a lot more to building a secure application āˆ’ The web has evolved a lot in the last few years āˆ’ Plenty of new threats, but also plenty of new security technologies Ā§ Essential security principles to apply to your AngularJS applications āˆ’ Deploy your applications over HTTPS āˆ’ Use strong authentication mechanisms āˆ’ Perform access control in the right places, with the right data āˆ’ Protect against common threats against session management
@PhilippeDeRyck ADDITIONAL INFORMATION Ā§ Iā€™m running a 2-day web security course on December 6 and 7 āˆ’ Information and registration on https://essentials.websec.be Ā§ https://www.websec.be contains a lot of information about web security āˆ’ The slides for this talk will be available there āˆ’ Slide decks, videos and blog posts about various security topics āˆ’ Subscribe to the mailing list to stay up to date Ā§ Feel free to contact me with feedback, questions, or speaking invitations philippe.deryck@cs.kuleuven.be /in/philippederyck
@PhilippeDeRyck THE RULES OF ANGULARJS SECURITY #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP #2 DO NOT MARK UNTRUSTED DATA AS SAFE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA #0 YOU TELL ALL YOUR FRIENDS ABOUT THESE RULES!

Recommended

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
Ā 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
Ā 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
Philippe De Ryck
Ā 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Ā 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Ā 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
Ā 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Ā 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
Ā 

Recommended

Securing your EmberJS Application
Securing your EmberJS ApplicationSecuring your EmberJS Application
Securing your EmberJS Application
Philippe De Ryck
Ā 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
Philippe De Ryck
Ā 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
Philippe De Ryck
Ā 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
Ā 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
Ā 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
Ā 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
Samsung Open Source Group
Ā 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
Ā 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
Ā 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
Ā 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
Ā 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
Ā 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
Ā 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Yosuke HASEGAWA
Ā 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
Ā 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Ā 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
Ā 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
Ā 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
Ā 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
Ā 
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
OWASP
Ā 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Pavan Kumar
Ā 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
Ā 
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-kearyWeb security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
drewz lin
Ā 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
Ā 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Ā 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
Ā 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Ā 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
Ā 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
Ā 

More Related Content

What's hot

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
Ā 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
Ā 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
Ā 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
Ā 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
Ā 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Yosuke HASEGAWA
Ā 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
Ā 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
Ā 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
Ā 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
Ā 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
Ā 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
Ā 
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
OWASP
Ā 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Pavan Kumar
Ā 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
Ā 
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-kearyWeb security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
drewz lin
Ā 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
Ā 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
Ā 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
Ā 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
Ā 

What's hot (20)

CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
Ā 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
Ā 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ā 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Ā 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Ā 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Ā 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
Ā 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
Ā 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Ā 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Ā 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Ā 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...
Ā 
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
[OPD 2019] Side-Channels on the Web:ā€ØAttacks and Defenses
Ā 
Securing your web applications in CF 2016
Securing your web applications in CF 2016Securing your web applications in CF 2016
Securing your web applications in CF 2016
Ā 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ā 
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-kearyWeb security-ā€“-everything-we-know-is-wrong-eoin-keary
Web security-ā€“-everything-we-know-is-wrong-eoin-keary
Ā 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
Ā 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
Ā 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Ā 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudJavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Ā 

Similar to Are you botching the security of your AngularJS applications? (DevFest 2016)

Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
Ā 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Izzet Mustafaiev
Ā 
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdfInternship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
VitulChauhan
Ā 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
iphonepentest
Ā 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Antonio Parata
Ā 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
Ā 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
Ā 
Using APIs
Using APIsUsing APIs
Using APIs
Akana
Ā 
Expo - Zero to App.pptx
Expo - Zero to App.pptxExpo - Zero to App.pptx
Expo - Zero to App.pptx
šŸ˜Ž Anthony Kariuki
Ā 
Sharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration BattlefieldSharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration Battlefield
WSO2
Ā 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
Ā 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
SĆ©bastien GIORIA
Ā 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
PIACERE
Ā 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web Applications
TECKpert, Hubdin
Ā 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
Ā 
S Kumar Resume
S Kumar ResumeS Kumar Resume
S Kumar Resume
S Kumar
Ā 
Anjular js
Anjular jsAnjular js
Anjular js
Naga Dinesh
Ā 
All Change! How the new economics of Cloud will make you think differently ab...
All Change! How the new economics of Cloud will make you think differently ab...All Change! How the new economics of Cloud will make you think differently ab...
All Change! How the new economics of Cloud will make you think differently ab...
Steve Poole
Ā 
JPoint Russia 2023 - TDD: from zero to hero
JPoint Russia 2023 - TDD: from zero to heroJPoint Russia 2023 - TDD: from zero to hero
JPoint Russia 2023 - TDD: from zero to hero
Elmar Dott
Ā 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
Ā 

Similar to Are you botching the security of your AngularJS applications? (DevFest 2016) (20)

Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Ā 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
Ā 
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdfInternship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
Ā 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
Ā 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
Ā 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Ā 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Ā 
Using APIs
Using APIsUsing APIs
Using APIs
Ā 
Expo - Zero to App.pptx
Expo - Zero to App.pptxExpo - Zero to App.pptx
Expo - Zero to App.pptx
Ā 
Sharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration BattlefieldSharing Best Practices and Recommendations from the Integration Battlefield
Sharing Best Practices and Recommendations from the Integration Battlefield
Ā 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
Ā 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
Ā 
PIACERE - DevSecOps Automated
PIACERE - DevSecOps AutomatedPIACERE - DevSecOps Automated
PIACERE - DevSecOps Automated
Ā 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web Applications
Ā 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
Ā 
S Kumar Resume
S Kumar ResumeS Kumar Resume
S Kumar Resume
Ā 
Anjular js
Anjular jsAnjular js
Anjular js
Ā 
All Change! How the new economics of Cloud will make you think differently ab...
All Change! How the new economics of Cloud will make you think differently ab...All Change! How the new economics of Cloud will make you think differently ab...
All Change! How the new economics of Cloud will make you think differently ab...
Ā 
JPoint Russia 2023 - TDD: from zero to hero
JPoint Russia 2023 - TDD: from zero to heroJPoint Russia 2023 - TDD: from zero to hero
JPoint Russia 2023 - TDD: from zero to hero
Ā 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Ā 

Recently uploaded

Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
Ā 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
Ā 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
Ā 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
Ā 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
Ā 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
Ā 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
Ā 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-UniversitƤt
Ā 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
Ā 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
Ā 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
Ā 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
Ā 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
Ā 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
Ā 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
Ā 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
Ā 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
Ā 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
Ā 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
Ā 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Jeffrey Haguewood
Ā 

Recently uploaded (20)

Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Ā 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Ā 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Ā 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Ā 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Ā 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Ā 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Ā 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Ā 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
Ā 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Ā 
dbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdfdbms calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Ā 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Ā 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Ā 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Ā 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Ā 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
Ā 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
Ā 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
Ā 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Ā 
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Ā 

Are you botching the security of your AngularJS applications? (DevFest 2016)

  • 1. @PhilippeDeRyck ARE YOU BOTCHING THE SECURITY OF YOUR ANGULARJS APPLICATIONS? Philippe De Ryck DevFest 2016, Brussels, Belgium https://www.websec.be
  • 2. @PhilippeDeRyck WHAT IS THE BIGGEST THREAT TO AN ANGULARJS APPLICATION? DEVELOPERS (THAT ARE NOT SECURITY-AWARE)
  • 3. @PhilippeDeRyck KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS Ā§ My goal is to help you build secure web applications āˆ’ In-house training programs at various companies āˆ’ Hosted web security training courses at DistriNet (KU Leuven) āˆ’ Talks at various developer conferences āˆ’ Slides, videos and blog posts on https://www.websec.be Ā§ I have a broad security expertise, with a focus on Web Security āˆ’ PhD in client-side web security āˆ’ Main author of the Primer on client-side web security āˆ’ Part of the organizing committee of the SecAppDev course Ā§ Iā€™m also a chef, so demoā€™s will be food-related!
  • 4. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦
  • 5. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦ https://www.youtube.com/watch?v=K0noqLisW_c
  • 6. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) Ā§ In an XSS attack, malicious content is injected into your applicationā€™s pages āˆ’ In the ā€œoriginalā€ XSS attacks, an attacker injected JavaScript code āˆ’ Today, injected content can be JavaScript, CSS, HTML, SVG, ā€¦ Ā§ The real problem is that injected content runs in your context āˆ’ Complete access to your client-side data and code āˆ’ Ability to use any permissions the user has granted to your application āˆ’ The full power of XHR to contact your backend, in the name of the user Ā§ XSS attacks are very powerful, and unfortunately very common āˆ’ XSS is ranked 3rd in the OWASP top 10 and 4th in the SANS top 25
  • 8. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code <div><h3> Your search for ā€œ<i>Crazy Cats<script>alert(ā€œMiauw!ā€)</script></i>ā€ returned 5 results </h3></div> <div><h3> Your search for ā€œ$queryā€ returned $count results </h3></div>
  • 9. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data <div><h3> Your search for ā€œencode($query)ā€ returned $count results </h3></div>
  • 10. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data <div><h3> Your search for ā€œ<i>Crazy Cats&lt;script&gt;alert(ā€œMiauw!ā€)&lt;/script&gt;</i> returned 5 results </h3></div>
  • 11. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? Ā§ The root cause behind XSS is confusion between data and code āˆ’ Untrusted data is mixed with trusted code, and sent to the browser āˆ’ The browser will never know which part is data and which is code Ā§ The server needs to render the data harmless āˆ’ By escaping ā€œdangerousā€ parts in the data Ā§ The escaping process is context-sensitive āˆ’ HTML body <h1>DATA</h1> āˆ’ HTML attributes <div id=ā€˜DATAā€™> āˆ’ Stylesheet context body { background-color: DATA;} āˆ’ Script context alert(ā€œDATAā€);
  • 12. @PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS <script src=ā€œā€¦/angular.jsā€></script> ā€¦ <div><h3> Your search for ā€œ<i>encode($query)</i>ā€ returned $count results </h3></div>
  • 13. @PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS Ā§ But is that even possible in an AngularJS environment? <div class=ā€ng-appā€> {{constructor.constructor(ā€˜alert(1)ā€™)}} </div> <div class="ng-app"> <b class="ng-style: {x:constructor.constructor('alert(1)')()};" /> </div>
  • 14. @PhilippeDeRyck SO, WHATā€™S THE DEAL WITH ANGULARJS? Ā§ AngularJS is often used as a library within traditional applications āˆ’ The server builds an HTML page, including AngularJS templates āˆ’ The server needs to render user-supplied data harmless to protect against XSS Ā§ But is that even possible in an AngularJS environment? āˆ’ No Ā§ AngularJS attempted to prevent this with the expression sandbox āˆ’ Prevents direct access to global JavaScript functionality āˆ’ Impossible to lock down completely, so only available in AngularJS 1.2 - 1.6 āˆ’ Angular2 offers offline template compilation
  • 15. @PhilippeDeRyck RULE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA ON THE SERVER Provide the data separately to the client-side AngularJS application
  • 16. @PhilippeDeRyck AND WHAT IF WE DO IT THE ANGULAR WAY? Ā§ Remember the confusion between data and code? āˆ’ Templates and JavaScript code are considered the applicationā€™s code āˆ’ Data fetched from APIs is considered data Ā§ AngularJS knows which parts are untrusted āˆ’ And automatically applies Strict Contextual Escaping (SCE) āˆ’ SCE applies to all data bindings with ng-bind or {{ }} āˆ’ SCE is on-by-default since version 1.2 Ā§ But what if we actually want to allow some HTML in the userā€™s data?
  • 19. @PhilippeDeRyck ALL IS GREAT ā€¦ UNTIL YOU GET A CALL ONE EVENING What, no way! What happened? Did they steal our data? No, itā€™s worse! Much worse! They loaded the EmberJS library! Weā€™ve been hacked! Then what?!
  • 20. @PhilippeDeRyck LETā€™S INVESTIGATE THE STACKOVERFLOW ADVICE ā€¦ https://docs.angularjs.org/api/ng/service/$sce https://docs.angularjs.org/error/$sce/unsafe
  • 21. @PhilippeDeRyck LETTING ANGULARJS 1.X DO THE WORK FOR YOU Ā§ Simple data will be encoded for the right context with SCE Ā§ AngularJS will not allow you to directly use untrusted data Ā§ Sanitizing untrusted data makes it safe to use Ā§ Static HTML snippets can be marked as safe if absolutely necessary <p>{{var}}</p>var = ā€œtest<script>alert(1)</script>ā€ <p ng-bind-html=ā€œvarā€></p><input ng-model=ā€œvarā€ /> <input ng-model=ā€œvarā€ /> angular.module(ā€œā€¦ā€, [ā€˜ngSanitizeā€™] <p ng-bind-html=ā€œvarā€></p> <p ng-bind-html=ā€œvarā€></p>var = $sce.trustAsHtml(ā€œ<b>test</b>)ā€
  • 22. @PhilippeDeRyck AND ITā€™S EVEN BETTER IN ANGULARJS 2.X Ā§ All data is sanitized by default Ā§ Static HTML snippets can be marked as safe if absolutely necessary <input ng-model=ā€œvarā€ /> <p>{{var}}</p> <p>{{var}}</p>var = domSanitizer.bypassSecurityTrustHtml(ā€œ<b>test</b>)ā€
  • 24. @PhilippeDeRyck RULE #2 DO NOT MARK UNTRUSTED DATA AS SAFE Use the built-in sanitizer to remove dangerous features from the untrusted data
  • 25. @PhilippeDeRyck XSS VULNERABILITIES WILL POP UP EVENTUALLY Ā§ You can deploy a second line of defense with Content Security Policy āˆ’ Server-driven browser-enforced security policy āˆ’ In case there is an XSS attack, the script will be severely constrained or even blocked āˆ’ CSP evolved to an extensive and powerful browser security policy Ā§ CSP locks down what can happen in a web page āˆ’ Refuses to execute inline script and style āˆ’ Only loads external resources if they are explicitly whitelisted Ā§ CSP has severe incompatibility problems with traditional web applications āˆ’ But is easy to deploy on an AngularJS application
  • 26. @PhilippeDeRyck A QUICK OVERVIEW OF CSPā€™S DIRECTIVES Ā§ CSP has directives for all kinds of resources āˆ’ default-src applies to any resource, if thereā€™s no more specific directive āˆ’ img-src, script-src, style-src, ā€¦ Ā§ A directive can have numerous valid values āˆ’ Keywords: ā€˜noneā€™, ā€˜selfā€™, * āˆ’ Expressions: https://websec.be, https:, https://websec.be/jquery.js, *.websec.be Ā§ If absolutely necessary, you can re-enable inline scripts, styles and eval āˆ’ By adding the ā€˜unsafe-inlineā€™ or ā€˜unsafe-evalā€™ keywords to the directives
  • 27. @PhilippeDeRyck BROWSER SUPPORT FOR CSP LEVEL 1 IS AWESOME http://caniuse.com/#search=csp
  • 28. @PhilippeDeRyck WRITING SANE CSP POLICIES Ā§ Deploy CSP using the Content-Security-Policy response header āˆ’ <meta> tags are a good alternative if headers are too difficult to use Ā§ Make your policy as secure as possible āˆ’ Avoid ā€˜unsafe-inlineā€™ and ā€˜unsafe-evalā€™ , especially for scripts āˆ’ Be specific about which files you want to include to avoid bypass attacks āˆ’ Define all important directives to avoid override attacks with <meta> tags Ā§ Use available tools and features to make your life easier āˆ’ Googleā€™s CSP Evaluator āˆ’ Report-uri.io for policy generation & report collection https://csp-evaluator.withgoogle.com/ https://report-uri.io/
  • 29. @PhilippeDeRyck RULE #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP Make sure your apps are compatible, and lock down your CSP policy
  • 30. @PhilippeDeRyck THE FOCUS HERE TODAY WAS PURELY ON ANGULARJS Ā§ But thereā€™s a lot more to building a secure application āˆ’ The web has evolved a lot in the last few years āˆ’ Plenty of new threats, but also plenty of new security technologies Ā§ Essential security principles to apply to your AngularJS applications āˆ’ Deploy your applications over HTTPS āˆ’ Use strong authentication mechanisms āˆ’ Perform access control in the right places, with the right data āˆ’ Protect against common threats against session management
  • 31. @PhilippeDeRyck ADDITIONAL INFORMATION Ā§ Iā€™m running a 2-day web security course on December 6 and 7 āˆ’ Information and registration on https://essentials.websec.be Ā§ https://www.websec.be contains a lot of information about web security āˆ’ The slides for this talk will be available there āˆ’ Slide decks, videos and blog posts about various security topics āˆ’ Subscribe to the mailing list to stay up to date Ā§ Feel free to contact me with feedback, questions, or speaking invitations philippe.deryck@cs.kuleuven.be /in/philippederyck
  • 32. @PhilippeDeRyck THE RULES OF ANGULARJS SECURITY #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP #2 DO NOT MARK UNTRUSTED DATA AS SAFE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA #0 YOU TELL ALL YOUR FRIENDS ABOUT THESE RULES!