Table Of Content

So you thought you were safe using AngularJS. . . . Think again! Who Am I? • Lewis Ardern • Ph.D. candidate Leeds Beckett University • Security Consultant at Synopsys, previously Cigital • Twitter @LewisArdern Research Interests: • Browser Security • JavaScript • HTML5 • Static analysis Agenda • AngularJS In A Nut Shell • AngularJS Security Protections • AngularJS Security Issues • Third-Party Library Security Issues • Look To The Future AngularJS In A Nut Shell • AngularJS is an open source front-end JavaScript framework • What is the current version of AngularJS: – AngularJS 1.6.5 – Angular 4.3.0 • Angular –MVC - Model View Controller –MVVM - Model View ViewModel –MVW - Model View Whatever • Originally developed by Miško Hevery, then open sourced, and now maintained by Google • What are the benefits of AngularJS? – Separation of HTML, CSS, and JavaScript logic – Convenience in DOM manipulations – Performance • If AngularJS is on the front-end, what technologies are used on the back end? – Whatever: NodeJS, Java, C#, you name it • A lot of Angular applications are built as single-page applications (SPA) Angular and OWASP Top 10 • OWASP Top 10 issues that Angular code may have: OWASP Top 10 Kinda Injection (SQL, Command, LDAP) Broken AuthN and Session Management Cross-site scripting Insecure Direct Object Reference Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Kinda CSRF Using Components with Known Vulnerabilities UnvalidatedRedirects and Forwards AngularJS Security Protections XSS Protection: Output Encoding • Automatic output encoding – Encoding is context aware (HTML element, attribute, URL) – All unsafe symbols are encoded, nothing is removed – Used with ng-bind <p ng-bind=“htmlCtrl.welcome"></p> XSS Protection: Strict Contextual Escaping • Before AngularJS version 1.2 – ng-bind-html-unsafe directive • SCE (Strict Contextual Escaping) – uses ngSanitize module – Sanitization for a particular context: HTML, URL, CSS – Used with ng-bind-html – Enabled by default in versions 1.2 and later, but can be disabled • $sceProvider.enabled(false) • $sce.trustAs(type, value) or $sce.trustAsHtml(value) • Other $sce.trustAs methods can be in custom directives XSS Protection: Content Security Policy • CSP disallows the use of eval() and inline scripts by default • CSP is configurable • Angular separates HTML, CSS, and JavaScript > no inline scripts! • Angular code is compatible with CSP out of the box • Caveats: – Angular uses eval() internally to parse expressions • https://github.com/angular/angular.js/blob/0694af8fc4c856f5174545450091602e51f02a11/src /Angular.js#L1120 – Angular may use inline styles, not inline scripts (for ngCloack, ngHide) • https://github.com/angular/angular.js/blob/0694af8fc4c856f5174545450091602e51f02a11/src /Angular.js#L1111 – Angular without unsafe eval() runs 30% slower when parsing expressions XSS Protection: Enforcing Content Security Policy Angular Setting Code Angular Behavior Nothing <body ng-app> Use inline scripts, check for unsafe eval in the CSP header Default CSP <body ng-app ng-csp> No inline scripts, no eval No-unsafe-eval <body ng-app Eval cannot be used, but it’s ok to use inline styles ng-csp="no-unsafe-eval"> CSP must have: style-src ‘unsafe-inline’ No-inline-style <body ng-app Angular can use eval, but cannot use inline styles ng-csp="no-inline-style"> CSP must have: script-src‘unsafe-eval’ Note: inline styles may be abused by attackers • See Mario Heiderich’s paper on scriptless attacks – https://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptless Attacks-ccs2012.pdf Instead of allowing ‘unsafe-inline’ for styles, developers can include angular- csp.css in the HTML for ngShow and ngHide directives to work.

Description:
If absolute URLs need to be used, verify that they start with http(s): Template. Engine. AngularJS template. View compile. Malicious AngularJS.
ebook img

So you thought you were safe using AngularJS. . . . Think again! PDF

46 Pages·2017·3.81 MB·English
by  Patrick Calder
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Download So you thought you were safe using AngularJS. . . . Think again! PDF Free - Full Version

by Patrick Calder| 2017| 46 pages| 3.81| English

Download So you thought you were safe using AngularJS. . . . Think again! by Patrick Calder in PDF format completely FREE. No registration required, no payment needed. Get instant access to this valuable resource on PDFdrive.to!

Free Download PDF

About So you thought you were safe using AngularJS. . . . Think again!

If absolute URLs need to be used, verify that they start with http(s): Template. Engine. AngularJS template. View compile. Malicious AngularJS.

Detailed Information

Author:Patrick Calder
Publication Year:2017
Pages:46
Language:English
File Size:3.81
Format:PDF
Price:FREE
Download Free PDF

Safe & Secure Download - No registration required

Why Choose PDFdrive for Your Free So you thought you were safe using AngularJS. . . . Think again! Download?

  • 100% Free: No hidden fees or subscriptions required for one book every day.
  • No Registration: Immediate access is available without creating accounts for one book every day.
  • Safe and Secure: Clean downloads without malware or viruses
  • Multiple Formats: PDF, MOBI, Mpub,... optimized for all devices
  • Educational Resource: Supporting knowledge sharing and learning

Free Books Similar to So you thought you were safe using AngularJS. . . . Think again!

Frequently Asked Questions

Is it really free to download So you thought you were safe using AngularJS. . . . Think again! PDF?

Yes, on https://PDFdrive.to you can download So you thought you were safe using AngularJS. . . . Think again! by Patrick Calder completely free. We don't require any payment, subscription, or registration to access this PDF file. For 3 books every day.

How can I read So you thought you were safe using AngularJS. . . . Think again! on my mobile device?

After downloading So you thought you were safe using AngularJS. . . . Think again! PDF, you can open it with any PDF reader app on your phone or tablet. We recommend using Adobe Acrobat Reader, Apple Books, or Google Play Books for the best reading experience.

Is this the full version of So you thought you were safe using AngularJS. . . . Think again!?

Yes, this is the complete PDF version of So you thought you were safe using AngularJS. . . . Think again! by Patrick Calder. You will be able to read the entire content as in the printed version without missing any pages.

Is it legal to download So you thought you were safe using AngularJS. . . . Think again! PDF for free?

https://PDFdrive.to provides links to free educational resources available online. We do not store any files on our servers. Please be aware of copyright laws in your country before downloading.

The materials shared are intended for research, educational, and personal use in accordance with fair use principles.

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
We use cookies

We use cookies to ensure you get the best browsing experience on our website. By clicking "Accept Cookies", you agree that we can store cookies on your device in accordance with our Terms and Privacy.

DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users