KEMBAR78
How Secure Is AngularJS? | PPTX
KP
Uploaded byKsenia Peguero
749 views

How Secure Is AngularJS?

Ksenia Peguero gave a presentation on AngularJS security. She discussed how AngularJS addresses some common vulnerabilities like XSS and CSRF. However, she noted some issues remain, such as DOM-XSS vulnerabilities in Angular elements and third-party plugins. She demonstrated template injection and sandbox bypass issues. Her conclusion was that AngularJS provides good security when used properly, but one should not rely on the sandbox and should avoid mixing server-side and client-side templates. She advised checking plugins for issues and using the latest versions.

Ksenia Peguero How Secure is AngularJS?
© 2016 Synopsys, Inc. 2 Who Am I? • Ksenia Peguero, previously Ksenia Dmitrieva • Principal Consultant at Synopsys, previously Cigital • 7 years of application security experience • Frequent conference speaker: RSA, AppSec EU, B-sides, Nullcon, No Fluff Just Stuff • Twitter @KseniaDmitrieva • Ballroom dancer Research Interests: • JavaScript frameworks • HTML5 • Static analysis
© 2016 Synopsys, Inc. 3 Agenda • AngularJS Intro • AngularJS and OWASP Top 10 • AngularJS Built-in Security Controls • AngularJS Security Issues • DOM-XSS • Template Injection • Sandbox Bypass • Demos
© 2016 Synopsys, Inc. 4 AngularJS Pop Quiz What is AngularJS? What is the current version of AngularJS? What software design pattern is used for implementing user interface? Who invented and who maintains AngularJS? What are the benefits of AngularJS? If AngularJS is on the front- end, what is used on the back end? What is a popular type of applications that AngularJS enables?
© 2016 Synopsys, Inc. 5 AngularJS Pop Quiz - Answers • AngularJS is an open source front-end JavaScript framework • What is the current version of AngularJS: – Angular 1.6.2 – Angular 2.4 – Angular 4 to be released on March 1, 2017 • Angular – MVC - Model View Controller – MVVM - Model View ViewModel – MVW - Model View Whatever • Originally developed by Miško Hevery, then open sourced, and now maintained by Google • What are the benefits of AngularJS? – Separation of HTML, CSS, and JavaScript logic – Convenience in DOM manipulations – Performance • If AngularJS is on the front-end, what technologies are used on the back end? – Whatever: NodeJS, Java, C#, you name it • A lot of Angular applications are built as single-page applications (SPA)
© 2016 Synopsys, Inc. 6 Angular and OWASP Top 10 • Angular is a client-side framework! It cannot have all Top 10 issues! OWASP Top 10 Angular Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using components with Known Vulnerabilities Unvalidated Redirects and Forwards ? ? ?
© 2016 Synopsys, Inc. 7 Angular and OWASP Top 10 • OWASP Top 10 issues that Angular code may have: OWASP Top 10 Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
© 2016 Synopsys, Inc. 8 AngularJS Built-in Security Controls
© 2016 Synopsys, Inc. 9 XSS Protection: Output Encoding and SCE • Automatic context-aware output encoding – Encoding is context aware (HTML element, attribute, URL) – All unsafe symbols are encoded, nothing is removed – Used with ng-bind <p ng-bind=“htmlCtrl.html"></p> • SCE (Strict Contextual Escaping) – uses ngSanitize module – Sanitization for a particular context: HTML, URL, CSS – Used with ng-bind-html – Enabled by default in versions 1.2 and later, but can be disabled – $sceProvider.enabled(false) – $sce.trustAs(type, value) or $sce.trustAsHtml(value)
© 2016 Synopsys, Inc. 10 XSS Protection: Content Security Policy • CSP disallows the use of eval() and inline scripts • Angular separates HTML, CSS, and JavaScript > no inline scripts! • Angular code is compatible with CSP by out of the box • Caveats: – Angular uses eval() internally to parse expressions – Angular may use inline styles, not inline scripts (for ngCloack, ngHide) • Angular without inline eval() runs 30% slower
© 2016 Synopsys, Inc. 11 XSS Protection: Enforcing Content Security Policy Note: inline styles may be abused by attackers • See Mario Heiderich’s paper on scriptless attacks https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks- ccs2012.pdf Instead of allowing ‘unsafe-inline’ for styles, developers can include angular-csp.css in the HTML for ngCloak and ngHide directives to work. Angular Setting Code Angular Behavior Nothing <body ng-app> Use inline styles, check for unsafe eval in the CSP header Default CSP <body ng-app ng-csp> No inline styles, no eval No-unsafe-eval <body ng-app ng-csp="no-unsafe-eval"> Eval cannot be used, but it’s ok to use inline styles CSP must have: style-src ‘unsafe-inline’ No-inline-style <body ng-app ng-csp="no-inline-style"> Angular can use eval, but cannot use inline styles CSP must have: script-src ‘unsafe-eval’
© 2016 Synopsys, Inc. 12 XSS Protection: Sandbox? Not Really • All versions of Angular up to 1.6 executed Angular Expressions in a sandbox • Angular Expressions are evaluated against the scope object https://www.youtube.com/watch?v=Hium4FVAR5A&index=4&list=PLhixgUqwRTjwJTIkNopKuGLk3P m9Ri1sF • Every version had a sandbox escape “vulnerability” • Sandbox was never considered to protect code for security reasons • What does it mean “to escape a sandbox”? – Directly manipulate the DOM – Execute plain old vanilla JavaScript • Example payload: {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} • As of Angular 1.6 sandbox has been completely removed https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/
© 2016 Synopsys, Inc. 13 CSRF Protection: Help from the Client • CSRF token must be generated and validated on the server side • Angular automatically reads a cookie sent from the server and saves the value to an HTTP header • What a developer needs to do: – Securely generate CSRF token on the server side – Add a cookie XSRF-TOKEN with the token value – Angular will add a custom header X-XSRF-TOKEN with the token value – Verify on the server if the X-XSRF-TOKEN value matches the cookie XSRF-TOKEN value – If the token and the cookie values do not match, reject the request • Note: if XSS is present on a page any CSRF protection is bypassable! https://blogs.synopsys.com/software-integrity/2017/01/25/angularjs-security-series-introduction/
© 2016 Synopsys, Inc. 14 AngularJS Security Issues
© 2016 Synopsys, Inc. 15 DOM-XSS • DOM-XSS happens when a malicious payload can manipulate the DOM to cause JavaScript code to execute • Angular does a pretty good job of protecting from DOM-XSS, except: – Explicitly using $sce.trustAsHtml() with untrusted input – Angular.element module (subset of jQuery) – Third-party Angular modules have vulnerabilities  angular-translate  textAngular  typeahead
© 2016 Synopsys, Inc. 16 XSS in angular.element Reading data from user <form> <label>After:</label><input type="text" ng-model="afterinput" /> <button type="submit" nb-click="aftersubmit()">Submit</button> </form> <div ng-controller="View1Ctrl"> <div id="testDiv">{{name}}</div> </div> controller('View1Ctrl', ['$scope', '$document', function($scope, $document) { $scope.name = "ChangeMe"; var element = angular.element($document[0].querySelector('#testDiv')); $scope.aftersubmit=function() { if($scope.afterinput) element.after($scope.afterinput); } Inserting data in Angular code
© 2016 Synopsys, Inc. 17 XSS in angular.element Payload: <p onmouseover=alert('after');>After</p> Why is there an injection? SCE is not automatically applied to angular.element
© 2016 Synopsys, Inc. 18 XSS in angular-translate • Plugin angular-translate is used for pages internationalization angular.module('app').config(function($translateProvider) { $translateProvider.translations('en', {GREETING: 'Hello <b>{{name}}</b>'}); $translateProvider.translations('de', {GREETING: 'Hallo <b>{{name}}</b>'}); $translateProvider.preferredLanguage('en'); }); angular.module('app').controller('Ctrl', function($scope, $translate, $routeParams, $route, $translateSanitization){ $translateSanitization.useStrategy(); $scope.translateValues = {name: $routeParams.name}; var lang = $routeParams.lang; if (lang !== undefined) { $translate.use(lang); } ... } <div translate="GREETING" translate-values="{translateValues.name}"></div> • Setting translation strategy to ‘null’ or leaving it out (default) leads to XSS
© 2016 Synopsys, Inc. 19 XSS in TextAngular • The textAngular module is a WYSIWYG editor with collaborative editing functionality • The editor processes the input and displays it (including HTML tags) • textAngular uses textAngular-sanitizer module – Only verifies that an href starts with “http” • Sample payload: http://A/A<img src=x onerror=alert('XSS_Success')> <p> Enter your comment <a target="" href="http://A/A<img src=x onerror=alert('XSS_Success')>">here!</a > </p>
© 2016 Synopsys, Inc. 20 XSS in TypeAhead • TypeAhead module shows hints as the user starts typing in a text field • The list of hints is not sanitized if at least one condition is met: – ui.bootstrap version prior to 0.13.4 is used – ngSanitize is not included <form ng-submit="submit()"> <input type="text" ng-submit="submit()" ng-model="search_val" typeahead="search_val for search_val in searches" class="form-control"> <input type="submit" value="Search"/> </form> module.controller( 'TypeaheadCtrl', function($scope,$http) { $scope.selected = undefined; $scope.searches = [ decodeURIComponent(window.location.search.split("?")[1]) ]; } <script src="http://angular-ui.github.io/bootstrap/ui-bootstrap-tpls-0.13.3.js"></script> var module = angular.module('app', ['ui.bootstrap']
© 2016 Synopsys, Inc. 21 Demo DOM-XSS in typeahead module
© 2016 Synopsys, Inc. 22 Server-side templates Client-side templates JavaScript: Jade, ejs, Pug AngularJS ReactJS Java: JSP PHP: Smarty Template Injection • Mixing server-side and client-side templates can cause XSS without the need to inject HTML tags • User input added to server-side template and then sent to client-side template: – Server-side template engine only escapes malicious HTML characters (e.g., <, >, “, ‘) – Attacker can place AngularJS expression language within {{ }} – Will not be escaped by server-side code – Will be executed by the client-side AngularJS template – Will run within a sandbox with limited execution of JavaScript (prior to version 1.6) – Sandbox bypass is always possible! • Avoid using both client-side and server-side templates! – Keep app logic on server side and presentation on client side
© 2016 Synopsys, Inc. 23 Template Injection Template User Input Template Engine Server-side Client-side res.render() Template Engine AngularJS template View compile Malicious AngularJS code is injected through input Template engine only escapes HTML special characters Template engine renders AngularJS expressions including malicious code Malicious code executes within the view 1 2 3 4
© 2016 Synopsys, Inc. 24 Demo Template Injection and Sandbox Bypass
© 2016 Synopsys, Inc. 26 Conclusion • Use Angular, as it is a very secure framework: – Contextually-aware encoding – Strict contextual encoding – Separation of HTML and JavaScript – CSP compatible • Do not rely on Angular sandbox • Do not mix server-side and client-side templates • Check plugins for security issues and use the latest version • … • Profit
© 2016 Synopsys, Inc. 27 Thank you! Questions? Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software

More Related Content

PPTX
How to React to JavaScript Insecurity
byKsenia Peguero
 
PDF
How do JavaScript frameworks impact the security of applications?
byKsenia Peguero
 
PDF
Reviewing AngularJS
byLewis Ardern
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PDF
ng-owasp: OWASP Top 10 for AngularJS Applications
byKevin Hakanson
 
PDF
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Breaking Bad CSP
byLukas Weichselbaum
 
How to React to JavaScript Insecurity
byKsenia Peguero
 
How do JavaScript frameworks impact the security of applications?
byKsenia Peguero
 
Reviewing AngularJS
byLewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
ng-owasp: OWASP Top 10 for AngularJS Applications
byKevin Hakanson
 
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Breaking Bad CSP
byLukas Weichselbaum
 

What's hot

PDF
Java Web Application Security - Jazoon 2011
byMatt Raible
 
PPT
Ajax Security
byRoberto Suggi Liverani
 
PPTX
Dzhengis 93098 ajax - security
bydzhengo44
 
PPTX
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
DOC
Santosh_Resume_Java
bySANTOSH PATTNAIK
 
PPTX
Java ee 8 + security overview
byRudy De Busscher
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
PDF
Java EE 8: On the Horizon
byJosh Juneau
 
PPTX
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
PPT
Java EE and Spring Side-by-Side
byReza Rahman
 
PPTX
Frameworks in java
byDarshan Patel
 
PDF
Wakanda - apps.berlin.js - 2012-11-29
byAlexandre Morgaut
 
PDF
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PDF
What's New in Spring 3.1
byMatt Raible
 
PPT
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
byBrian Huff
 
PDF
5 best Java Frameworks
byAegis Softtech
 
PPTX
Introducing ASP.NET Core 2.0
bySteven Smith
 
PDF
API SECURITY
byTubagus Rizky Dharmawan
 
PPT
Getting started with angular js
byMaurice De Beijer [MVP]
 
Java Web Application Security - Jazoon 2011
byMatt Raible
 
Ajax Security
byRoberto Suggi Liverani
 
Dzhengis 93098 ajax - security
bydzhengo44
 
Geecon 2017 Anatomy of Java Vulnerabilities
bySteve Poole
 
Santosh_Resume_Java
bySANTOSH PATTNAIK
 
Java ee 8 + security overview
byRudy De Busscher
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
Java EE 8: On the Horizon
byJosh Juneau
 
Octopus framework; Permission based security framework for Java EE
byRudy De Busscher
 
Java EE and Spring Side-by-Side
byReza Rahman
 
Frameworks in java
byDarshan Patel
 
Wakanda - apps.berlin.js - 2012-11-29
byAlexandre Morgaut
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
byAbhay Bhargav
 
Java Security Framework's
byMohammed Fazuluddin
 
What's New in Spring 3.1
byMatt Raible
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
byBrian Huff
 
5 best Java Frameworks
byAegis Softtech
 
Introducing ASP.NET Core 2.0
bySteven Smith
 
API SECURITY
byTubagus Rizky Dharmawan
 
Getting started with angular js
byMaurice De Beijer [MVP]
 

Similar to How Secure Is AngularJS?

PDF
So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
PDF
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
PDF
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
byCODE BLUE
 
PDF
AngularJS Security: defend your Single Page Application
byCarlo Bonamico
 
PDF
An Abusive Relationship with AngularJS
byMario Heiderich
 
PDF
Web Application Security Reloaded for the HTML5 era
byCarlo Bonamico
 
PPTX
Vulnerability Assessment Of Angular JS
byValency Networks
 
PDF
Are you botching the security of your AngularJS applications? (DevFest 2016)
byPhilippe De Ryck
 
PPTX
Is your app secure
byChathuranga Bandara
 
PPTX
Angular js
byBaldeep Sohal
 
PPTX
Pentesting Modern Web Apps: A Primer
byBrian Hysell
 
PPTX
AngularJS 1.x - your first application (problems and solutions)
byIgor Talevski
 
PPTX
Angular Js
byKnoldus Inc.
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PPTX
Angular Js Advantages - Complete Reference
byEPAM Systems
 
PDF
One Weekend With AngularJS
byYashobanta Bai
 
PDF
An introduction to AngularJS
byYogesh singh
 
PPTX
Angular
byTejinderMakkar
 
PDF
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
byDavid Johansson
 
PDF
Securing your AngularJS Application
byPhilippe De Ryck
 
So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
byLewis Ardern
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
byCODE BLUE
 
AngularJS Security: defend your Single Page Application
byCarlo Bonamico
 
An Abusive Relationship with AngularJS
byMario Heiderich
 
Web Application Security Reloaded for the HTML5 era
byCarlo Bonamico
 
Vulnerability Assessment Of Angular JS
byValency Networks
 
Are you botching the security of your AngularJS applications? (DevFest 2016)
byPhilippe De Ryck
 
Is your app secure
byChathuranga Bandara
 
Angular js
byBaldeep Sohal
 
Pentesting Modern Web Apps: A Primer
byBrian Hysell
 
AngularJS 1.x - your first application (problems and solutions)
byIgor Talevski
 
Angular Js
byKnoldus Inc.
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Angular Js Advantages - Complete Reference
byEPAM Systems
 
One Weekend With AngularJS
byYashobanta Bai
 
An introduction to AngularJS
byYogesh singh
 
Angular
byTejinderMakkar
 
AngularJS + CSP: A Perfect Match or Unhappy Marriage?
byDavid Johansson
 
Securing your AngularJS Application
byPhilippe De Ryck
 

Recently uploaded

PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PDF
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
Data Structure - 12 Graph
byAndiNurkholis1
 
UnityNet Digital Sovereignty Checklist 2025-10-13
byLHelferty
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 

How Secure Is AngularJS?

  • 1.
  • 2.
    © 2016 Synopsys,Inc. 2 Who Am I? • Ksenia Peguero, previously Ksenia Dmitrieva • Principal Consultant at Synopsys, previously Cigital • 7 years of application security experience • Frequent conference speaker: RSA, AppSec EU, B-sides, Nullcon, No Fluff Just Stuff • Twitter @KseniaDmitrieva • Ballroom dancer Research Interests: • JavaScript frameworks • HTML5 • Static analysis
  • 3.
    © 2016 Synopsys,Inc. 3 Agenda • AngularJS Intro • AngularJS and OWASP Top 10 • AngularJS Built-in Security Controls • AngularJS Security Issues • DOM-XSS • Template Injection • Sandbox Bypass • Demos
  • 4.
    © 2016 Synopsys,Inc. 4 AngularJS Pop Quiz What is AngularJS? What is the current version of AngularJS? What software design pattern is used for implementing user interface? Who invented and who maintains AngularJS? What are the benefits of AngularJS? If AngularJS is on the front- end, what is used on the back end? What is a popular type of applications that AngularJS enables?
  • 5.
    © 2016 Synopsys,Inc. 5 AngularJS Pop Quiz - Answers • AngularJS is an open source front-end JavaScript framework • What is the current version of AngularJS: – Angular 1.6.2 – Angular 2.4 – Angular 4 to be released on March 1, 2017 • Angular – MVC - Model View Controller – MVVM - Model View ViewModel – MVW - Model View Whatever • Originally developed by Miško Hevery, then open sourced, and now maintained by Google • What are the benefits of AngularJS? – Separation of HTML, CSS, and JavaScript logic – Convenience in DOM manipulations – Performance • If AngularJS is on the front-end, what technologies are used on the back end? – Whatever: NodeJS, Java, C#, you name it • A lot of Angular applications are built as single-page applications (SPA)
  • 6.
    © 2016 Synopsys,Inc. 6 Angular and OWASP Top 10 • Angular is a client-side framework! It cannot have all Top 10 issues! OWASP Top 10 Angular Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using components with Known Vulnerabilities Unvalidated Redirects and Forwards ? ? ?
  • 7.
    © 2016 Synopsys,Inc. 7 Angular and OWASP Top 10 • OWASP Top 10 issues that Angular code may have: OWASP Top 10 Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control CSRF Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards
  • 8.
    © 2016 Synopsys,Inc. 8 AngularJS Built-in Security Controls
  • 9.
    © 2016 Synopsys,Inc. 9 XSS Protection: Output Encoding and SCE • Automatic context-aware output encoding – Encoding is context aware (HTML element, attribute, URL) – All unsafe symbols are encoded, nothing is removed – Used with ng-bind <p ng-bind=“htmlCtrl.html"></p> • SCE (Strict Contextual Escaping) – uses ngSanitize module – Sanitization for a particular context: HTML, URL, CSS – Used with ng-bind-html – Enabled by default in versions 1.2 and later, but can be disabled – $sceProvider.enabled(false) – $sce.trustAs(type, value) or $sce.trustAsHtml(value)
  • 10.
    © 2016 Synopsys,Inc. 10 XSS Protection: Content Security Policy • CSP disallows the use of eval() and inline scripts • Angular separates HTML, CSS, and JavaScript > no inline scripts! • Angular code is compatible with CSP by out of the box • Caveats: – Angular uses eval() internally to parse expressions – Angular may use inline styles, not inline scripts (for ngCloack, ngHide) • Angular without inline eval() runs 30% slower
  • 11.
    © 2016 Synopsys,Inc. 11 XSS Protection: Enforcing Content Security Policy Note: inline styles may be abused by attackers • See Mario Heiderich’s paper on scriptless attacks https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks- ccs2012.pdf Instead of allowing ‘unsafe-inline’ for styles, developers can include angular-csp.css in the HTML for ngCloak and ngHide directives to work. Angular Setting Code Angular Behavior Nothing <body ng-app> Use inline styles, check for unsafe eval in the CSP header Default CSP <body ng-app ng-csp> No inline styles, no eval No-unsafe-eval <body ng-app ng-csp="no-unsafe-eval"> Eval cannot be used, but it’s ok to use inline styles CSP must have: style-src ‘unsafe-inline’ No-inline-style <body ng-app ng-csp="no-inline-style"> Angular can use eval, but cannot use inline styles CSP must have: script-src ‘unsafe-eval’
  • 12.
    © 2016 Synopsys,Inc. 12 XSS Protection: Sandbox? Not Really • All versions of Angular up to 1.6 executed Angular Expressions in a sandbox • Angular Expressions are evaluated against the scope object https://www.youtube.com/watch?v=Hium4FVAR5A&index=4&list=PLhixgUqwRTjwJTIkNopKuGLk3P m9Ri1sF • Every version had a sandbox escape “vulnerability” • Sandbox was never considered to protect code for security reasons • What does it mean “to escape a sandbox”? – Directly manipulate the DOM – Execute plain old vanilla JavaScript • Example payload: {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}} • As of Angular 1.6 sandbox has been completely removed https://blogs.synopsys.com/software-integrity/2016/12/28/angularjs-1-6-0-sandbox/
  • 13.
    © 2016 Synopsys,Inc. 13 CSRF Protection: Help from the Client • CSRF token must be generated and validated on the server side • Angular automatically reads a cookie sent from the server and saves the value to an HTTP header • What a developer needs to do: – Securely generate CSRF token on the server side – Add a cookie XSRF-TOKEN with the token value – Angular will add a custom header X-XSRF-TOKEN with the token value – Verify on the server if the X-XSRF-TOKEN value matches the cookie XSRF-TOKEN value – If the token and the cookie values do not match, reject the request • Note: if XSS is present on a page any CSRF protection is bypassable! https://blogs.synopsys.com/software-integrity/2017/01/25/angularjs-security-series-introduction/
  • 14.
    © 2016 Synopsys,Inc. 14 AngularJS Security Issues
  • 15.
    © 2016 Synopsys,Inc. 15 DOM-XSS • DOM-XSS happens when a malicious payload can manipulate the DOM to cause JavaScript code to execute • Angular does a pretty good job of protecting from DOM-XSS, except: – Explicitly using $sce.trustAsHtml() with untrusted input – Angular.element module (subset of jQuery) – Third-party Angular modules have vulnerabilities  angular-translate  textAngular  typeahead
  • 16.
    © 2016 Synopsys,Inc. 16 XSS in angular.element Reading data from user <form> <label>After:</label><input type="text" ng-model="afterinput" /> <button type="submit" nb-click="aftersubmit()">Submit</button> </form> <div ng-controller="View1Ctrl"> <div id="testDiv">{{name}}</div> </div> controller('View1Ctrl', ['$scope', '$document', function($scope, $document) { $scope.name = "ChangeMe"; var element = angular.element($document[0].querySelector('#testDiv')); $scope.aftersubmit=function() { if($scope.afterinput) element.after($scope.afterinput); } Inserting data in Angular code
  • 17.
    © 2016 Synopsys,Inc. 17 XSS in angular.element Payload: <p onmouseover=alert('after');>After</p> Why is there an injection? SCE is not automatically applied to angular.element
  • 18.
    © 2016 Synopsys,Inc. 18 XSS in angular-translate • Plugin angular-translate is used for pages internationalization angular.module('app').config(function($translateProvider) { $translateProvider.translations('en', {GREETING: 'Hello <b>{{name}}</b>'}); $translateProvider.translations('de', {GREETING: 'Hallo <b>{{name}}</b>'}); $translateProvider.preferredLanguage('en'); }); angular.module('app').controller('Ctrl', function($scope, $translate, $routeParams, $route, $translateSanitization){ $translateSanitization.useStrategy(); $scope.translateValues = {name: $routeParams.name}; var lang = $routeParams.lang; if (lang !== undefined) { $translate.use(lang); } ... } <div translate="GREETING" translate-values="{translateValues.name}"></div> • Setting translation strategy to ‘null’ or leaving it out (default) leads to XSS
  • 19.
    © 2016 Synopsys,Inc. 19 XSS in TextAngular • The textAngular module is a WYSIWYG editor with collaborative editing functionality • The editor processes the input and displays it (including HTML tags) • textAngular uses textAngular-sanitizer module – Only verifies that an href starts with “http” • Sample payload: http://A/A<img src=x onerror=alert('XSS_Success')> <p> Enter your comment <a target="" href="http://A/A<img src=x onerror=alert('XSS_Success')>">here!</a > </p>
  • 20.
    © 2016 Synopsys,Inc. 20 XSS in TypeAhead • TypeAhead module shows hints as the user starts typing in a text field • The list of hints is not sanitized if at least one condition is met: – ui.bootstrap version prior to 0.13.4 is used – ngSanitize is not included <form ng-submit="submit()"> <input type="text" ng-submit="submit()" ng-model="search_val" typeahead="search_val for search_val in searches" class="form-control"> <input type="submit" value="Search"/> </form> module.controller( 'TypeaheadCtrl', function($scope,$http) { $scope.selected = undefined; $scope.searches = [ decodeURIComponent(window.location.search.split("?")[1]) ]; } <script src="http://angular-ui.github.io/bootstrap/ui-bootstrap-tpls-0.13.3.js"></script> var module = angular.module('app', ['ui.bootstrap']
  • 21.
    © 2016 Synopsys,Inc. 21 Demo DOM-XSS in typeahead module
  • 22.
    © 2016 Synopsys,Inc. 22 Server-side templates Client-side templates JavaScript: Jade, ejs, Pug AngularJS ReactJS Java: JSP PHP: Smarty Template Injection • Mixing server-side and client-side templates can cause XSS without the need to inject HTML tags • User input added to server-side template and then sent to client-side template: – Server-side template engine only escapes malicious HTML characters (e.g., <, >, “, ‘) – Attacker can place AngularJS expression language within {{ }} – Will not be escaped by server-side code – Will be executed by the client-side AngularJS template – Will run within a sandbox with limited execution of JavaScript (prior to version 1.6) – Sandbox bypass is always possible! • Avoid using both client-side and server-side templates! – Keep app logic on server side and presentation on client side
  • 23.
    © 2016 Synopsys,Inc. 23 Template Injection Template User Input Template Engine Server-side Client-side res.render() Template Engine AngularJS template View compile Malicious AngularJS code is injected through input Template engine only escapes HTML special characters Template engine renders AngularJS expressions including malicious code Malicious code executes within the view 1 2 3 4
  • 24.
    © 2016 Synopsys,Inc. 24 Demo Template Injection and Sandbox Bypass
  • 25.
    © 2016 Synopsys,Inc. 26 Conclusion • Use Angular, as it is a very secure framework: – Contextually-aware encoding – Strict contextual encoding – Separation of HTML and JavaScript – CSP compatible • Do not rely on Angular sandbox • Do not mix server-side and client-side templates • Check plugins for security issues and use the latest version • … • Profit
  • 26.
    © 2016 Synopsys,Inc. 27 Thank you! Questions? Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software

Editor's Notes

  • #6 MVC - Model View Controller MVVM - Model View ViewModel - the scope object is a viewModel decorated by a function that we call a Controller. Uses an intermediate layer called a ViewModel to enhance manageability, scalability, and testability. MVW - Model View Whatever - "whatever works for you".
  • #10 In ngSanitize module is not included, Angular throws and error message. So, it won’t be a security issue, except in some specific cases.
  • #13 Truly, Angular expressions weren’t sandboxed for security reasons in the first place. It was not intended to act as a security boundary. Therefore, the various ‘sandbox escapes‘ published by security researchers were never considered to be vulnerabilities. Even so, the Angular team continued patching the sandbox until the recent release of 1.6.
  • #20 All versions of textAngular plugin are vulnerable. Instead, use ngWig as alternative
  • #21 XSS happens if at least one of the two conditions is not met: untrusted data will not be sanitized if the ngSanitize module is not included in the application dependencies. untrusted data will not be sanitized if using angular-ui bootstrap versions prior to 0.13.4 as older versions use the bind-html-unsafe directive rather than the ng-bind-html directive
  • #22 DOM-XSS in typeahead module In Chrome navigate to: file:///C:/Personal/Projects/Lofting/trigger_testing/javascript/angular/typeahead/index.html?%3Cspan%20onMouseOver=%22javascript:alert(%27xss%27)%22%3Ehoverme%3C/span%3E
  • #25 Demo template injection with sandbox bypass Start the VM Login into the app with test@test.com/testtest Go to Bookmarks Search for {{2+1}} and {{‘Joh’+’n’}} and John Search for {{user=undefined}} Create a URL with this input: http://bookmark.com:3030/bookmarks?keywords={{user%3Dundefined}} Demonstrate that the uses logged out Log back in, refresh the app, navigate to Bookmarks Use payload: {{a=toString().constructor.prototype;a.charAt=a.trim;$eval('a,alert(1),a')}} Demonstrate the alert box with 1.