Is your app secure
•
1 like•100 views
Securing Angular or Single Page application app from XSS and XSRF (CSRF) attacks
Recommended
Recommended
More Related Content
What's hot
Similar to Is your app secure
Similar to Is your app secure (20)
More from Chathuranga Bandara
More from Chathuranga Bandara (9)
Recently uploaded
Recently uploaded (20)
Is your app secure
- 1. Is Your App Secure Chathur anga Bandar a
- 2. Who TF is this? • Engineer by profession, Husband and a Father by decision • Love Python • Love and hate JavaScript • Have 8 odd years of experience doing some coding and shit • Like CnH2n+1OH, Gin to be specific
- 6. Use Latest Angular Possible
- 7. XSS | XSRF
- 8. XSS?
- 9. “enables an attacker toinject client-side script into web pages viewed by other users”
- 12. How toPrevent?
- 13. Angular is a Good Guy..
- 14. Rather Like an overprotective Girl/Boy Friend
- 15. “Angular treats all values as untrusted bydefault. When a value is insertedinto the DOM froma template, via property, attribute, style and class binding, orinterpolation, Angular sanitizes and escapes untrusted values.”
- 17. unsafe value usedin a resource URL context.
- 18. Bypassing?
- 19. Makesure you sanitize after!
- 26. “You can compilethe app in the browser, at runtime, as the application loads, usingthe just-in-time (JIT) compiler. This is the standard development approach shownthroughout the documentation. It's great but it has shortcomings.”
- 27. “With AOT, the compiler runs onceat build time using oneset of libraries; with JIT it runs every time forevery user at runtime using a different set of libraries.”
- 28. Faster Rendering FewerAsync Requests Smaller Angular frameworkdownload Detect Template Errors earlier Better Security
- 29. Never use Angular Templating fromServer side
- 30. XSRF??
- 31. “Cross-Site Request Forgery(CSRF) is an attack that forcesan end user to executeunwanted actions ona web application in whichthey're currentlyauthenticated.”
- 32. To prevent this, the application must ensure that a user request originates fromthe real application
- 33. Angular's HttpClient has built-in support for theclient-side half ofthis technique.
- 36. Macaroons
- 38. js-macaroon
- 41. Thank you
Editor's Notes
- Good evening everyone. In this session I’m going to talk about Angular-CLI. Which is the Command Line Interface for Angular 2 development
- Angular throwing this error because the <iframe src> attribute is a resource URL security context, because an untrusted source can, for example, smuggle in file downloads that unsuspecting users could execute.
- Faster rendering With AOT, the browser downloads a pre-compiled version of the application. The browser loads executable code so it can render the application immediately, without waiting to compile the app first. Fewer asynchronous requests The compiler inlines external HTML templates and CSS style sheets within the application JavaScript, eliminating separate ajax requests for those source files. Smaller Angular framework download size There's no need to download the Angular compiler if the app is already compiled. The compiler is roughly half of Angular itself, so omitting it dramatically reduces the application payload. Detect template errors earlier The AOT compiler detects and reports template binding errors during the build step before users can see them. Better security AOT compiles HTML templates and components into JavaScript files long before they are served to the client. With no templates to read and no risky client-side HTML or JavaScript evaluation, there are fewer opportunities for injection attacks.
- CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request