SlideShare a Scribd company logo

How Secure Is AngularJS?

K
Ksenia Peguero

Ksenia Peguero gave a presentation on AngularJS security. She discussed how AngularJS addresses some common vulnerabilities like XSS and CSRF. However, she noted some issues remain, such as DOM-XSS vulnerabilities in Angular elements and third-party plugins. She demonstrated template injection and sandbox bypass issues. Her conclusion was that AngularJS provides good security when used properly, but one should not rely on the sandbox and should avoid mixing server-side and client-side templates. She advised checking plugins for issues and using the latest versions.

Technology
1 of 26
Ksenia Peguero How Secure is AngularJS?
© 2016 Synopsys, Inc. 2 Who Am I? • Ksenia Peguero, previously Ksenia Dmitrieva • Principal Consultant at Synopsys, previously Cigital • 7 years of application security experience • Frequent conference speaker: RSA, AppSec EU, B-sides, Nullcon, No Fluff Just Stuff • Twitter @KseniaDmitrieva • Ballroom dancer Research Interests: • JavaScript frameworks • HTML5 • Static analysis
© 2016 Synopsys, Inc. 3 Agenda • AngularJS Intro • AngularJS and OWASP Top 10 • AngularJS Built-in Security Controls • AngularJS Security Issues • DOM-XSS • Template Injection • Sandbox Bypass • Demos
© 2016 Synopsys, Inc. 4 AngularJS Pop Quiz What is AngularJS? What is the current version of AngularJS? What software design pattern is used for implementing user interface? Who invented and who maintains AngularJS? What are the benefits of AngularJS? If AngularJS is on the front- end, what is used on the back end? What is a popular type of applications that AngularJS enables?
© 2016 Synopsys, Inc. 5 AngularJS Pop Quiz - Answers • AngularJS is an open source front-end JavaScript framework • What is the current version of AngularJS: – Angular 1.6.2 – Angular 2.4 – Angular 4 to be released on March 1, 2017 • Angular – MVC - Model View Controller – MVVM - Model View ViewModel – MVW - Model View Whatever • Originally developed by Miško Hevery, then open sourced, and now maintained by Google • What are the benefits of AngularJS? – Separation of HTML, CSS, and JavaScript logic – Convenience in DOM manipulations – Performance • If AngularJS is on the front-end, what technologies are used on the back end? – Whatever: NodeJS, Java, C#, you name it • A lot of Angular applications are built as single-page applications (SPA)
© 2016 Synopsys, Inc. 6 Angular and OWASP Top 10 • Angular is a client-side framework! It cannot have all Top 10 issues! OWASP Top 10 Angular Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using components with Known Vulnerabilities Unvalidated Redirects and Forwards ? ? ?
© 2016 Synopsys, Inc. 7 Angular and OWASP Top 10 • OWASP Top 10 issues that Angular code may have: OWASP Top 10 Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
© 2016 Synopsys, Inc. 8 AngularJS Built-in Security Controls
© 2016 Synopsys, Inc. 9 XSS Protection: Output Encoding and SCE • Automatic context-aware output encoding – Encoding is context aware (HTML element, attribute, URL) – All unsafe symbols are encoded, nothing is removed – Used with ng-bind <p ng-bind=“htmlCtrl.html"></p> • SCE (Strict Contextual Escaping) – uses ngSanitize module – Sanitization for a particular context: HTML, URL, CSS – Used with ng-bind-html – Enabled by default in versions 1.2 and later, but can be disabled – $sceProvider.enabled(false) – $sce.trustAs(type, value) or $sce.trustAsHtml(value)
© 2016 Synopsys, Inc. 10 XSS Protection: Content Security Policy • CSP disallows the use of eval() and inline scripts • Angular separates HTML, CSS, and JavaScript > no inline scripts! • Angular code is compatible with CSP by out of the box • Caveats: – Angular uses eval() internally to parse expressions – Angular may use inline styles, not inline scripts (for ngCloack, ngHide) • Angular without inline eval() runs 30% slower
© 2016 Synopsys, Inc. 11 XSS Protection: Enforcing Content Security Policy Note: inline styles may be abused by attackers • See Mario Heiderich’s paper on scriptless attacks https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks- ccs2012.pdf Instead of allowing ‘unsafe-inline’ for styles, developers can include angular-csp.css in the HTML for ngCloak and ngHide directives to work. Angular Setting Code Angular Behavior Nothing <body ng-app> Use inline styles, check for unsafe eval in the CSP header Default CSP <body ng-app ng-csp> No inline styles, no eval No-unsafe-eval <body ng-app ng-csp="no-unsafe-eval"> Eval cannot be used, but it’s ok to use inline styles CSP must have: style-src ‘unsafe-inline’ No-inline-style <body ng-app ng-csp="no-inline-style"> Angular can use eval, but cannot use inline styles CSP must have: script-src ‘unsafe-eval’
© 2016 Synopsys, Inc. 12 XSS Protection: Sandbox? Not Really • All versions of Angular up to 1.6 executed Angular Expressions in a sandbox • Angular Expressions are evaluated against the scope object https://www.youtube.com/watch?v=Hium4FVAR5A&index=4&list=PLhixgUqwRTjwJTIkNopKuGLk3P m9Ri1sF • Every version had a sandbox escape “vulnerability” • Sandbox was never considered to protect code for security reasons • What does it mean “to escape a sandbox”? – Directly manipulate the DOM – Execute plain old vanilla JavaScript • Example payload: {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} • As of Angular 1.6 sandbox has been completely removed https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/
© 2016 Synopsys, Inc. 13 CSRF Protection: Help from the Client • CSRF token must be generated and validated on the server side • Angular automatically reads a cookie sent from the server and saves the value to an HTTP header • What a developer needs to do: – Securely generate CSRF token on the server side – Add a cookie XSRF-TOKEN with the token value – Angular will add a custom header X-XSRF-TOKEN with the token value – Verify on the server if the X-XSRF-TOKEN value matches the cookie XSRF-TOKEN value – If the token and the cookie values do not match, reject the request • Note: if XSS is present on a page any CSRF protection is bypassable! https://blogs.synopsys.com/software-integrity/2017/01/25/angularjs-security-series-introduction/
© 2016 Synopsys, Inc. 14 AngularJS Security Issues
© 2016 Synopsys, Inc. 15 DOM-XSS • DOM-XSS happens when a malicious payload can manipulate the DOM to cause JavaScript code to execute • Angular does a pretty good job of protecting from DOM-XSS, except: – Explicitly using $sce.trustAsHtml() with untrusted input – Angular.element module (subset of jQuery) – Third-party Angular modules have vulnerabilities  angular-translate  textAngular  typeahead
© 2016 Synopsys, Inc. 16 XSS in angular.element Reading data from user <form> <label>After:</label><input type="text" ng-model="afterinput" /> <button type="submit" nb-click="aftersubmit()">Submit</button> </form> <div ng-controller="View1Ctrl"> <div id="testDiv">{{name}}</div> </div> controller('View1Ctrl', ['$scope', '$document', function($scope, $document) { $scope.name = "ChangeMe"; var element = angular.element($document[0].querySelector('#testDiv')); $scope.aftersubmit=function() { if($scope.afterinput) element.after($scope.afterinput); } Inserting data in Angular code
© 2016 Synopsys, Inc. 17 XSS in angular.element Payload: <p onmouseover=alert('after');>After</p> Why is there an injection? SCE is not automatically applied to angular.element
© 2016 Synopsys, Inc. 18 XSS in angular-translate • Plugin angular-translate is used for pages internationalization angular.module('app').config(function($translateProvider) { $translateProvider.translations('en', {GREETING: 'Hello <b>{{name}}</b>'}); $translateProvider.translations('de', {GREETING: 'Hallo <b>{{name}}</b>'}); $translateProvider.preferredLanguage('en'); }); angular.module('app').controller('Ctrl', function($scope, $translate, $routeParams, $route, $translateSanitization){ $translateSanitization.useStrategy(); $scope.translateValues = {name: $routeParams.name}; var lang = $routeParams.lang; if (lang !== undefined) { $translate.use(lang); } ... } <div translate="GREETING" translate-values="{translateValues.name}"></div> • Setting translation strategy to ‘null’ or leaving it out (default) leads to XSS
© 2016 Synopsys, Inc. 19 XSS in TextAngular • The textAngular module is a WYSIWYG editor with collaborative editing functionality • The editor processes the input and displays it (including HTML tags) • textAngular uses textAngular-sanitizer module – Only verifies that an href starts with “http” • Sample payload: http://A/A<img src=x onerror=alert('XSS_Success')> <p> Enter your comment <a target="" href="http://A/A<img src=x onerror=alert('XSS_Success')>">here!</a > </p>
© 2016 Synopsys, Inc. 20 XSS in TypeAhead • TypeAhead module shows hints as the user starts typing in a text field • The list of hints is not sanitized if at least one condition is met: – ui.bootstrap version prior to 0.13.4 is used – ngSanitize is not included <form ng-submit="submit()"> <input type="text" ng-submit="submit()" ng-model="search_val" typeahead="search_val for search_val in searches" class="form-control"> <input type="submit" value="Search"/> </form> module.controller( 'TypeaheadCtrl', function($scope,$http) { $scope.selected = undefined; $scope.searches = [ decodeURIComponent(window.location.search.split("?")[1]) ]; } <script src="http://angular-ui.github.io/bootstrap/ui-bootstrap-tpls-0.13.3.js"></script> var module = angular.module('app', ['ui.bootstrap']
© 2016 Synopsys, Inc. 21 Demo DOM-XSS in typeahead module
© 2016 Synopsys, Inc. 22 Server-side templates Client-side templates JavaScript: Jade, ejs, Pug AngularJS ReactJS Java: JSP PHP: Smarty Template Injection • Mixing server-side and client-side templates can cause XSS without the need to inject HTML tags • User input added to server-side template and then sent to client-side template: – Server-side template engine only escapes malicious HTML characters (e.g., <, >, “, ‘) – Attacker can place AngularJS expression language within {{ }} – Will not be escaped by server-side code – Will be executed by the client-side AngularJS template – Will run within a sandbox with limited execution of JavaScript (prior to version 1.6) – Sandbox bypass is always possible! • Avoid using both client-side and server-side templates! – Keep app logic on server side and presentation on client side
© 2016 Synopsys, Inc. 23 Template Injection Template User Input Template Engine Server-side Client-side res.render() Template Engine AngularJS template View compile Malicious AngularJS code is injected through input Template engine only escapes HTML special characters Template engine renders AngularJS expressions including malicious code Malicious code executes within the view 1 2 3 4
© 2016 Synopsys, Inc. 24 Demo Template Injection and Sandbox Bypass
© 2016 Synopsys, Inc. 26 Conclusion • Use Angular, as it is a very secure framework: – Contextually-aware encoding – Strict contextual encoding – Separation of HTML and JavaScript – CSP compatible • Do not rely on Angular sandbox • Do not mix server-side and client-side templates • Check plugins for security issues and use the latest version • … • Profit
© 2016 Synopsys, Inc. 27 Thank you! Questions? Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software

Recommended

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum
 

Recommended

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
Ksenia Peguero
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
Matt Raible
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_JavaSANTOSH PATTNAIK
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the Horizon
Josh Juneau
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-Side
Reza Rahman
 
Frameworks in java
Frameworks in javaFrameworks in java
Frameworks in java
Darshan Patel
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Alexandre Morgaut
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
Mohammed Fazuluddin
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1
Matt Raible
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
5 best Java Frameworks
5 best Java Frameworks5 best Java Frameworks
5 best Java Frameworks
Aegis Softtech
 
Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0
Steven Smith
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
Getting started with angular js
Getting started with angular jsGetting started with angular js
Getting started with angular js
Maurice De Beijer [MVP]
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
David Johansson
 

More Related Content

What's hot

Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
Matt Raible
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
Rudy De Busscher
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the Horizon
Josh Juneau
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-Side
Reza Rahman
 
Frameworks in java
Frameworks in javaFrameworks in java
Frameworks in java
Darshan Patel
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Alexandre Morgaut
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
Mohammed Fazuluddin
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1
Matt Raible
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
5 best Java Frameworks
5 best Java Frameworks5 best Java Frameworks
5 best Java Frameworks
Aegis Softtech
 
Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0
Steven Smith
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
Tubagus Rizky Dharmawan
 
Getting started with angular js
Getting started with angular jsGetting started with angular js
Getting started with angular js
Maurice De Beijer [MVP]
 

What's hot (20)

Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the Horizon
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-Side
 
Frameworks in java
Frameworks in javaFrameworks in java
Frameworks in java
 
Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29Wakanda - apps.berlin.js - 2012-11-29
Wakanda - apps.berlin.js - 2012-11-29
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
5 best Java Frameworks
5 best Java Frameworks5 best Java Frameworks
5 best Java Frameworks
 
Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0Introducing ASP.NET Core 2.0
Introducing ASP.NET Core 2.0
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Getting started with angular js
Getting started with angular jsGetting started with angular js
Getting started with angular js
 

Similar to How Secure Is AngularJS?

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
David Johansson
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 
Anjular js
Anjular jsAnjular js
Anjular js
Naga Dinesh
 
Cross Platform Mobile Apps with the Ionic Framework
Cross Platform Mobile Apps with the Ionic FrameworkCross Platform Mobile Apps with the Ionic Framework
Cross Platform Mobile Apps with the Ionic Framework
Troy Miles
 
Angular 6 Training with project in hyderabad india
Angular 6 Training with project in hyderabad indiaAngular 6 Training with project in hyderabad india
Angular 6 Training with project in hyderabad india
php2ranjan
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
Dinis Cruz
 
Building ext js apps with ES2015 using sencha visual studio code plugin
Building ext js apps with ES2015 using sencha visual studio code pluginBuilding ext js apps with ES2015 using sencha visual studio code plugin
Building ext js apps with ES2015 using sencha visual studio code plugin
Sandeep Adwankar
 
Best framework for web development
Best framework for web developmentBest framework for web development
Best framework for web development
QSS Technosoft
 
Angular Js
Angular JsAngular Js
Angular Js
Knoldus Inc.
 
ASP .Net Core SPA Templates
ASP .Net Core SPA TemplatesASP .Net Core SPA Templates
ASP .Net Core SPA Templates
Eamonn Boyle
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdf
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdfIntroduction+to+AngularJS+with+logo+from+digital+ocean.pdf
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdf
ahmadfaisal744721
 
Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction
WebStackAcademy
 
Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Ganesh Kondal
 
Gapand 2017 - Diseñando Arquitecturas Serverless en Azure
Gapand 2017 - Diseñando Arquitecturas Serverless en AzureGapand 2017 - Diseñando Arquitecturas Serverless en Azure
Gapand 2017 - Diseñando Arquitecturas Serverless en Azure
Alberto Diaz Martin
 
Angularjs interview questions and answers
Angularjs interview questions and answersAngularjs interview questions and answers
Angularjs interview questions and answers
Anil Singh
 

Similar to How Secure Is AngularJS? (20)

So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
 
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?AngularJS + CSP: A Perfect Match or Unhappy Marriage?
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Web Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 eraWeb Application Security Reloaded for the HTML5 era
Web Application Security Reloaded for the HTML5 era
 
Anjular js
Anjular jsAnjular js
Anjular js
 
Cross Platform Mobile Apps with the Ionic Framework
Cross Platform Mobile Apps with the Ionic FrameworkCross Platform Mobile Apps with the Ionic Framework
Cross Platform Mobile Apps with the Ionic Framework
 
Angular 6 Training with project in hyderabad india
Angular 6 Training with project in hyderabad indiaAngular 6 Training with project in hyderabad india
Angular 6 Training with project in hyderabad india
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Building ext js apps with ES2015 using sencha visual studio code plugin
Building ext js apps with ES2015 using sencha visual studio code pluginBuilding ext js apps with ES2015 using sencha visual studio code plugin
Building ext js apps with ES2015 using sencha visual studio code plugin
 
Best framework for web development
Best framework for web developmentBest framework for web development
Best framework for web development
 
Angular Js
Angular JsAngular Js
Angular Js
 
ASP .Net Core SPA Templates
ASP .Net Core SPA TemplatesASP .Net Core SPA Templates
ASP .Net Core SPA Templates
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdf
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdfIntroduction+to+AngularJS+with+logo+from+digital+ocean.pdf
Introduction+to+AngularJS+with+logo+from+digital+ocean.pdf
 
Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction Angular - Chapter 1 - Introduction
Angular - Chapter 1 - Introduction
 
Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5
 
Gapand 2017 - Diseñando Arquitecturas Serverless en Azure
Gapand 2017 - Diseñando Arquitecturas Serverless en AzureGapand 2017 - Diseñando Arquitecturas Serverless en Azure
Gapand 2017 - Diseñando Arquitecturas Serverless en Azure
 
Angularjs interview questions and answers
Angularjs interview questions and answersAngularjs interview questions and answers
Angularjs interview questions and answers
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

How Secure Is AngularJS?

  • 2. © 2016 Synopsys, Inc. 2 Who Am I? • Ksenia Peguero, previously Ksenia Dmitrieva • Principal Consultant at Synopsys, previously Cigital • 7 years of application security experience • Frequent conference speaker: RSA, AppSec EU, B-sides, Nullcon, No Fluff Just Stuff • Twitter @KseniaDmitrieva • Ballroom dancer Research Interests: • JavaScript frameworks • HTML5 • Static analysis
  • 3. © 2016 Synopsys, Inc. 3 Agenda • AngularJS Intro • AngularJS and OWASP Top 10 • AngularJS Built-in Security Controls • AngularJS Security Issues • DOM-XSS • Template Injection • Sandbox Bypass • Demos
  • 4. © 2016 Synopsys, Inc. 4 AngularJS Pop Quiz What is AngularJS? What is the current version of AngularJS? What software design pattern is used for implementing user interface? Who invented and who maintains AngularJS? What are the benefits of AngularJS? If AngularJS is on the front- end, what is used on the back end? What is a popular type of applications that AngularJS enables?
  • 5. © 2016 Synopsys, Inc. 5 AngularJS Pop Quiz - Answers • AngularJS is an open source front-end JavaScript framework • What is the current version of AngularJS: – Angular 1.6.2 – Angular 2.4 – Angular 4 to be released on March 1, 2017 • Angular – MVC - Model View Controller – MVVM - Model View ViewModel – MVW - Model View Whatever • Originally developed by Miško Hevery, then open sourced, and now maintained by Google • What are the benefits of AngularJS? – Separation of HTML, CSS, and JavaScript logic – Convenience in DOM manipulations – Performance • If AngularJS is on the front-end, what technologies are used on the back end? – Whatever: NodeJS, Java, C#, you name it • A lot of Angular applications are built as single-page applications (SPA)
  • 6. © 2016 Synopsys, Inc. 6 Angular and OWASP Top 10 • Angular is a client-side framework! It cannot have all Top 10 issues! OWASP Top 10 Angular Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using components with Known Vulnerabilities Unvalidated Redirects and Forwards ? ? ?
  • 7. © 2016 Synopsys, Inc. 7 Angular and OWASP Top 10 • OWASP Top 10 issues that Angular code may have: OWASP Top 10 Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  • 8. © 2016 Synopsys, Inc. 8 AngularJS Built-in Security Controls
  • 9. © 2016 Synopsys, Inc. 9 XSS Protection: Output Encoding and SCE • Automatic context-aware output encoding – Encoding is context aware (HTML element, attribute, URL) – All unsafe symbols are encoded, nothing is removed – Used with ng-bind <p ng-bind=“htmlCtrl.html"></p> • SCE (Strict Contextual Escaping) – uses ngSanitize module – Sanitization for a particular context: HTML, URL, CSS – Used with ng-bind-html – Enabled by default in versions 1.2 and later, but can be disabled – $sceProvider.enabled(false) – $sce.trustAs(type, value) or $sce.trustAsHtml(value)
  • 10. © 2016 Synopsys, Inc. 10 XSS Protection: Content Security Policy • CSP disallows the use of eval() and inline scripts • Angular separates HTML, CSS, and JavaScript > no inline scripts! • Angular code is compatible with CSP by out of the box • Caveats: – Angular uses eval() internally to parse expressions – Angular may use inline styles, not inline scripts (for ngCloack, ngHide) • Angular without inline eval() runs 30% slower
  • 11. © 2016 Synopsys, Inc. 11 XSS Protection: Enforcing Content Security Policy Note: inline styles may be abused by attackers • See Mario Heiderich’s paper on scriptless attacks https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks- ccs2012.pdf Instead of allowing ‘unsafe-inline’ for styles, developers can include angular-csp.css in the HTML for ngCloak and ngHide directives to work. Angular Setting Code Angular Behavior Nothing <body ng-app> Use inline styles, check for unsafe eval in the CSP header Default CSP <body ng-app ng-csp> No inline styles, no eval No-unsafe-eval <body ng-app ng-csp="no-unsafe-eval"> Eval cannot be used, but it’s ok to use inline styles CSP must have: style-src ‘unsafe-inline’ No-inline-style <body ng-app ng-csp="no-inline-style"> Angular can use eval, but cannot use inline styles CSP must have: script-src ‘unsafe-eval’
  • 12. © 2016 Synopsys, Inc. 12 XSS Protection: Sandbox? Not Really • All versions of Angular up to 1.6 executed Angular Expressions in a sandbox • Angular Expressions are evaluated against the scope object https://www.youtube.com/watch?v=Hium4FVAR5A&index=4&list=PLhixgUqwRTjwJTIkNopKuGLk3P m9Ri1sF • Every version had a sandbox escape “vulnerability” • Sandbox was never considered to protect code for security reasons • What does it mean “to escape a sandbox”? – Directly manipulate the DOM – Execute plain old vanilla JavaScript • Example payload: {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} • As of Angular 1.6 sandbox has been completely removed https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/
  • 13. © 2016 Synopsys, Inc. 13 CSRF Protection: Help from the Client • CSRF token must be generated and validated on the server side • Angular automatically reads a cookie sent from the server and saves the value to an HTTP header • What a developer needs to do: – Securely generate CSRF token on the server side – Add a cookie XSRF-TOKEN with the token value – Angular will add a custom header X-XSRF-TOKEN with the token value – Verify on the server if the X-XSRF-TOKEN value matches the cookie XSRF-TOKEN value – If the token and the cookie values do not match, reject the request • Note: if XSS is present on a page any CSRF protection is bypassable! https://blogs.synopsys.com/software-integrity/2017/01/25/angularjs-security-series-introduction/
  • 14. © 2016 Synopsys, Inc. 14 AngularJS Security Issues
  • 15. © 2016 Synopsys, Inc. 15 DOM-XSS • DOM-XSS happens when a malicious payload can manipulate the DOM to cause JavaScript code to execute • Angular does a pretty good job of protecting from DOM-XSS, except: – Explicitly using $sce.trustAsHtml() with untrusted input – Angular.element module (subset of jQuery) – Third-party Angular modules have vulnerabilities  angular-translate  textAngular  typeahead
  • 16. © 2016 Synopsys, Inc. 16 XSS in angular.element Reading data from user <form> <label>After:</label><input type="text" ng-model="afterinput" /> <button type="submit" nb-click="aftersubmit()">Submit</button> </form> <div ng-controller="View1Ctrl"> <div id="testDiv">{{name}}</div> </div> controller('View1Ctrl', ['$scope', '$document', function($scope, $document) { $scope.name = "ChangeMe"; var element = angular.element($document[0].querySelector('#testDiv')); $scope.aftersubmit=function() { if($scope.afterinput) element.after($scope.afterinput); } Inserting data in Angular code
  • 17. © 2016 Synopsys, Inc. 17 XSS in angular.element Payload: <p onmouseover=alert('after');>After</p> Why is there an injection? SCE is not automatically applied to angular.element
  • 18. © 2016 Synopsys, Inc. 18 XSS in angular-translate • Plugin angular-translate is used for pages internationalization angular.module('app').config(function($translateProvider) { $translateProvider.translations('en', {GREETING: 'Hello <b>{{name}}</b>'}); $translateProvider.translations('de', {GREETING: 'Hallo <b>{{name}}</b>'}); $translateProvider.preferredLanguage('en'); }); angular.module('app').controller('Ctrl', function($scope, $translate, $routeParams, $route, $translateSanitization){ $translateSanitization.useStrategy(); $scope.translateValues = {name: $routeParams.name}; var lang = $routeParams.lang; if (lang !== undefined) { $translate.use(lang); } ... } <div translate="GREETING" translate-values="{translateValues.name}"></div> • Setting translation strategy to ‘null’ or leaving it out (default) leads to XSS
  • 19. © 2016 Synopsys, Inc. 19 XSS in TextAngular • The textAngular module is a WYSIWYG editor with collaborative editing functionality • The editor processes the input and displays it (including HTML tags) • textAngular uses textAngular-sanitizer module – Only verifies that an href starts with “http” • Sample payload: http://A/A<img src=x onerror=alert('XSS_Success')> <p> Enter your comment <a target="" href="http://A/A<img src=x onerror=alert('XSS_Success')>">here!</a > </p>
  • 20. © 2016 Synopsys, Inc. 20 XSS in TypeAhead • TypeAhead module shows hints as the user starts typing in a text field • The list of hints is not sanitized if at least one condition is met: – ui.bootstrap version prior to 0.13.4 is used – ngSanitize is not included <form ng-submit="submit()"> <input type="text" ng-submit="submit()" ng-model="search_val" typeahead="search_val for search_val in searches" class="form-control"> <input type="submit" value="Search"/> </form> module.controller( 'TypeaheadCtrl', function($scope,$http) { $scope.selected = undefined; $scope.searches = [ decodeURIComponent(window.location.search.split("?")[1]) ]; } <script src="http://angular-ui.github.io/bootstrap/ui-bootstrap-tpls-0.13.3.js"></script> var module = angular.module('app', ['ui.bootstrap']
  • 21. © 2016 Synopsys, Inc. 21 Demo DOM-XSS in typeahead module
  • 22. © 2016 Synopsys, Inc. 22 Server-side templates Client-side templates JavaScript: Jade, ejs, Pug AngularJS ReactJS Java: JSP PHP: Smarty Template Injection • Mixing server-side and client-side templates can cause XSS without the need to inject HTML tags • User input added to server-side template and then sent to client-side template: – Server-side template engine only escapes malicious HTML characters (e.g., <, >, “, ‘) – Attacker can place AngularJS expression language within {{ }} – Will not be escaped by server-side code – Will be executed by the client-side AngularJS template – Will run within a sandbox with limited execution of JavaScript (prior to version 1.6) – Sandbox bypass is always possible! • Avoid using both client-side and server-side templates! – Keep app logic on server side and presentation on client side
  • 23. © 2016 Synopsys, Inc. 23 Template Injection Template User Input Template Engine Server-side Client-side res.render() Template Engine AngularJS template View compile Malicious AngularJS code is injected through input Template engine only escapes HTML special characters Template engine renders AngularJS expressions including malicious code Malicious code executes within the view 1 2 3 4
  • 24. © 2016 Synopsys, Inc. 24 Demo Template Injection and Sandbox Bypass
  • 25. © 2016 Synopsys, Inc. 26 Conclusion • Use Angular, as it is a very secure framework: – Contextually-aware encoding – Strict contextual encoding – Separation of HTML and JavaScript – CSP compatible • Do not rely on Angular sandbox • Do not mix server-side and client-side templates • Check plugins for security issues and use the latest version • … • Profit
  • 26. © 2016 Synopsys, Inc. 27 Thank you! Questions? Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software

Editor's Notes

  1. MVC - Model View Controller MVVM - Model View ViewModel - the scope object is a viewModel decorated by a function that we call a Controller. Uses an intermediate layer called a ViewModel to enhance manageability, scalability, and testability. MVW - Model View Whatever - "whatever works for you".
  2. In ngSanitize module is not included, Angular throws and error message. So, it won’t be a security issue, except in some specific cases.
  3. Truly, Angular expressions weren’t sandboxed for security reasons in the first place. It was not intended to act as a security boundary. Therefore, the various ‘sandbox escapes‘ published by security researchers were never considered to be vulnerabilities. Even so, the Angular team continued patching the sandbox until the recent release of 1.6.
  4. All versions of textAngular plugin are vulnerable. Instead, use ngWig as alternative
  5. XSS happens if at least one of the two conditions is not met: untrusted data will not be sanitized if the ngSanitize module is not included in the application dependencies. untrusted data will not be sanitized if using angular-ui bootstrap versions prior to 0.13.4 as older versions use the bind-html-unsafe directive rather than the ng-bind-html directive
  6. DOM-XSS in typeahead module In Chrome navigate to: file:///C:/Personal/Projects/Lofting/trigger_testing/javascript/angular/typeahead/index.html?%3Cspan%20onMouseOver=%22javascript:alert(%27xss%27)%22%3Ehoverme%3C/span%3E
  7. Demo template injection with sandbox bypass Start the VM Login into the app with test@test.com/testtest Go to Bookmarks Search for {{2+1}} and {{‘Joh’+’n’}} and John Search for {{user=undefined}} Create a URL with this input: http://bookmark.com:3030/bookmarks?keywords={{user%3Dundefined}} Demonstrate that the uses logged out Log back in, refresh the app, navigate to Bookmarks Use payload: {{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')}} Demonstrate the alert box with 1.