SlideShare a Scribd company logo

Are you botching the security of your AngularJS applications? (DevFest 2016)

P
Philippe De Ryck

The document discusses the security of AngularJS applications, emphasizing the importance of being aware of cross-site scripting (XSS) vulnerabilities and how to protect against them. It outlines essential rules for securing AngularJS apps, including not combining templates with user-supplied data, properly sanitizing inputs, and leveraging Content Security Policy (CSP) to mitigate risks. Additionally, it highlights the need for ongoing education and resources available for web security training.

Technology
Related topics:
Web Security Overview
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
@PhilippeDeRyck ARE YOU BOTCHING THE SECURITY OF YOUR ANGULARJS APPLICATIONS? Philippe De Ryck DevFest 2016, Brussels, Belgium https://www.websec.be
@PhilippeDeRyck WHAT IS THE BIGGEST THREAT TO AN ANGULARJS APPLICATION? DEVELOPERS (THAT ARE NOT SECURITY-AWARE)
@PhilippeDeRyck KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS § My goal is to help you build secure web applications − In-house training programs at various companies − Hosted web security training courses at DistriNet (KU Leuven) − Talks at various developer conferences − Slides, videos and blog posts on https://www.websec.be § I have a broad security expertise, with a focus on Web Security − PhD in client-side web security − Main author of the Primer on client-side web security − Part of the organizing committee of the SecAppDev course § I’m also a chef, so demo’s will be food-related!
@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 

@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 
 https://www.youtube.com/watch?v=K0noqLisW_c
@PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 
 § The real problem is that injected content runs in your context − Complete access to your client-side data and code − Ability to use any permissions the user has granted to your application − The full power of XHR to contact your backend, in the name of the user § XSS attacks are very powerful, and unfortunately very common − XSS is ranked 3rd in the OWASP top 10 and 4th in the SANS top 25
@PhilippeDeRyck http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code <div><h3> Your search for “<i>Crazy Cats<script>alert(“Miauw!”)</script></i>” returned 5 results </h3></div> <div><h3> Your search for “$query” returned $count results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data <div><h3> Your search for “encode($query)” returned $count results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data <div><h3> Your search for “<i>Crazy Cats&lt;script&gt;alert(“Miauw!”)&lt;/script&gt;</i> returned 5 results </h3></div>
@PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data § The escaping process is context-sensitive − HTML body <h1>DATA</h1> − HTML attributes <div id=‘DATA’> − Stylesheet context body { background-color: DATA;} − Script context alert(“DATA”);
@PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS <script src=“
/angular.js”></script> 
 <div><h3> Your search for “<i>encode($query)</i>” returned $count results </h3></div>
@PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS § But is that even possible in an AngularJS environment? <div class=”ng-app”> {{constructor.constructor(‘alert(1)’)}} </div> <div class="ng-app"> <b class="ng-style: {x:constructor.constructor('alert(1)')()};" /> </div>
@PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS § But is that even possible in an AngularJS environment? − No § AngularJS attempted to prevent this with the expression sandbox − Prevents direct access to global JavaScript functionality − Impossible to lock down completely, so only available in AngularJS 1.2 - 1.6 − Angular2 offers offline template compilation
@PhilippeDeRyck RULE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA ON THE SERVER Provide the data separately to the client-side AngularJS application
@PhilippeDeRyck AND WHAT IF WE DO IT THE ANGULAR WAY? § Remember the confusion between data and code? − Templates and JavaScript code are considered the application’s code − Data fetched from APIs is considered data § AngularJS knows which parts are untrusted − And automatically applies Strict Contextual Escaping (SCE) − SCE applies to all data bindings with ng-bind or {{ }} − SCE is on-by-default since version 1.2 § But what if we actually want to allow some HTML in the user’s data?
@PhilippeDeRyck
@PhilippeDeRyck http://stackoverflow.com/questions/9381926/angularjs-insert-html-into-view/25513186#25513186
@PhilippeDeRyck ALL IS GREAT 
 UNTIL YOU GET A CALL ONE EVENING What, no way! What happened? Did they steal our data? No, it’s worse! Much worse! They loaded the EmberJS library! We’ve been hacked! Then what?!
@PhilippeDeRyck LET’S INVESTIGATE THE STACKOVERFLOW ADVICE 
 https://docs.angularjs.org/api/ng/service/$sce https://docs.angularjs.org/error/$sce/unsafe
@PhilippeDeRyck LETTING ANGULARJS 1.X DO THE WORK FOR YOU § Simple data will be encoded for the right context with SCE § AngularJS will not allow you to directly use untrusted data § Sanitizing untrusted data makes it safe to use § Static HTML snippets can be marked as safe if absolutely necessary <p>{{var}}</p>var = “test<script>alert(1)</script>” <p ng-bind-html=“var”></p><input ng-model=“var” /> <input ng-model=“var” /> angular.module(“
”, [‘ngSanitize’] <p ng-bind-html=“var”></p> <p ng-bind-html=“var”></p>var = $sce.trustAsHtml(“<b>test</b>)”
@PhilippeDeRyck AND IT’S EVEN BETTER IN ANGULARJS 2.X § All data is sanitized by default § Static HTML snippets can be marked as safe if absolutely necessary <input ng-model=“var” /> <p>{{var}}</p> <p>{{var}}</p>var = domSanitizer.bypassSecurityTrustHtml(“<b>test</b>)”
@PhilippeDeRyck http://stackoverflow.com/a/25513186
@PhilippeDeRyck RULE #2 DO NOT MARK UNTRUSTED DATA AS SAFE Use the built-in sanitizer to remove dangerous features from the untrusted data
@PhilippeDeRyck XSS VULNERABILITIES WILL POP UP EVENTUALLY § You can deploy a second line of defense with Content Security Policy − Server-driven browser-enforced security policy − In case there is an XSS attack, the script will be severely constrained or even blocked − CSP evolved to an extensive and powerful browser security policy § CSP locks down what can happen in a web page − Refuses to execute inline script and style − Only loads external resources if they are explicitly whitelisted § CSP has severe incompatibility problems with traditional web applications − But is easy to deploy on an AngularJS application
@PhilippeDeRyck A QUICK OVERVIEW OF CSP’S DIRECTIVES § CSP has directives for all kinds of resources − default-src applies to any resource, if there’s no more specific directive − img-src, script-src, style-src, 
 § A directive can have numerous valid values − Keywords: ‘none’, ‘self’, * − Expressions: https://websec.be, https:, https://websec.be/jquery.js, *.websec.be § If absolutely necessary, you can re-enable inline scripts, styles and eval − By adding the ‘unsafe-inline’ or ‘unsafe-eval’ keywords to the directives
@PhilippeDeRyck BROWSER SUPPORT FOR CSP LEVEL 1 IS AWESOME http://caniuse.com/#search=csp
@PhilippeDeRyck WRITING SANE CSP POLICIES § Deploy CSP using the Content-Security-Policy response header − <meta> tags are a good alternative if headers are too difficult to use § Make your policy as secure as possible − Avoid ‘unsafe-inline’ and ‘unsafe-eval’ , especially for scripts − Be specific about which files you want to include to avoid bypass attacks − Define all important directives to avoid override attacks with <meta> tags § Use available tools and features to make your life easier − Google’s CSP Evaluator − Report-uri.io for policy generation & report collection https://csp-evaluator.withgoogle.com/ https://report-uri.io/
@PhilippeDeRyck RULE #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP Make sure your apps are compatible, and lock down your CSP policy
@PhilippeDeRyck THE FOCUS HERE TODAY WAS PURELY ON ANGULARJS § But there’s a lot more to building a secure application − The web has evolved a lot in the last few years − Plenty of new threats, but also plenty of new security technologies § Essential security principles to apply to your AngularJS applications − Deploy your applications over HTTPS − Use strong authentication mechanisms − Perform access control in the right places, with the right data − Protect against common threats against session management
@PhilippeDeRyck ADDITIONAL INFORMATION § I’m running a 2-day web security course on December 6 and 7 − Information and registration on https://essentials.websec.be § https://www.websec.be contains a lot of information about web security − The slides for this talk will be available there − Slide decks, videos and blog posts about various security topics − Subscribe to the mailing list to stay up to date § Feel free to contact me with feedback, questions, or speaking invitations philippe.deryck@cs.kuleuven.be /in/philippederyck
@PhilippeDeRyck THE RULES OF ANGULARJS SECURITY #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP #2 DO NOT MARK UNTRUSTED DATA AS SAFE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA #0 YOU TELL ALL YOUR FRIENDS ABOUT THESE RULES!

More Related Content

PDF
Securing your EmberJS Application
Philippe De Ryck
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
PDF
Getting Single Page Application Security Right
Philippe De Ryck
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
PDF
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PDF
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
PDF
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 
Securing your EmberJS Application
Philippe De Ryck
 
Securing your AngularJS Application
Philippe De Ryck
 
Getting Single Page Application Security Right
Philippe De Ryck
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Francois Marier
 
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 

What's hot (20)

PDF
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
PPTX
Phu appsec13
drewz lin
 
PDF
Content Security Policy
Ryan LaBouve
 
PDF
Its just a flesh wound
Brett Gravois
 
PDF
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
PDF
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Yosuke HASEGAWA
 
PDF
Abusing & Securing XPC in macOS apps
SecuRing
 
ODP
Csrf not-all-defenses-are-created-equal
drewz lin
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
PDF
Web App Security for Java Developers - PWX 2021
Matt Raible
 
PDF
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
PPTX
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
OWASP
 
PPTX
Securing your web applications in CF 2016
Pavan Kumar
 
PDF
Preventing XSS with Content Security Policy
Ksenia Peguero
 
PPTX
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PDF
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
Phu appsec13
drewz lin
 
Content Security Policy
Ryan LaBouve
 
Its just a flesh wound
Brett Gravois
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
POSSCON
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Yosuke HASEGAWA
 
Abusing & Securing XPC in macOS apps
SecuRing
 
Csrf not-all-defenses-are-created-equal
drewz lin
 
W3 conf hill-html5-security-realities
Brad Hill
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
[OPD 2019] Side-Channels on the Web:‹Attacks and Defenses
OWASP
 
Securing your web applications in CF 2016
Pavan Kumar
 
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
Ad

Similar to Are you botching the security of your AngularJS applications? (DevFest 2016) (20)

PDF
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 
PDF
Web Security... Level Up
Izzet Mustafaiev
 
PDF
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
VitulChauhan
 
PDF
Cloud Powered Artificial Intelligence Evolution
Mohamed Belhassen
 
PDF
Evaluating iOS Applications
iphonepentest
 
PPTX
Securing your web applications a pragmatic approach
Antonio Parata
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
PPTX
Using APIs
Akana
 
PPTX
Expo - Zero to App.pptx
😎 Anthony Kariuki
 
PDF
Sharing Best Practices and Recommendations from the Integration Battlefield
WSO2
 
PPTX
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
PDF
2014 09-04-pj
SĂ©bastien GIORIA
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PPTX
Intro to Angular.js & Zend2 for Front-End Web Applications
TECKpert, Hubdin
 
PDF
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
DOC
S Kumar Resume
S Kumar
 
PPTX
Anjular js
Naga Dinesh
 
PPT
All Change! How the new economics of Cloud will make you think differently ab...
Steve Poole
 
PDF
JPoint Russia 2023 - TDD: from zero to hero
Elmar Dott
 
Web Application Security Reloaded for the HTML5 era
Carlo Bonamico
 
Web Security... Level Up
Izzet Mustafaiev
 
Internship-Report-VitulChauhan-18132023-IT_CRUD-OPERATION.pdf
VitulChauhan
 
Cloud Powered Artificial Intelligence Evolution
Mohamed Belhassen
 
Evaluating iOS Applications
iphonepentest
 
Securing your web applications a pragmatic approach
Antonio Parata
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
Using APIs
Akana
 
Expo - Zero to App.pptx
😎 Anthony Kariuki
 
Sharing Best Practices and Recommendations from the Integration Battlefield
WSO2
 
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
2014 09-04-pj
SĂ©bastien GIORIA
 
PIACERE - DevSecOps Automated
PIACERE
 
Intro to Angular.js & Zend2 for Front-End Web Applications
TECKpert, Hubdin
 
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
S Kumar Resume
S Kumar
 
Anjular js
Naga Dinesh
 
All Change! How the new economics of Cloud will make you think differently ab...
Steve Poole
 
JPoint Russia 2023 - TDD: from zero to hero
Elmar Dott
 
Ad

Recently uploaded (20)

PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Cloud computing and distributed systems.
kkkkkhan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A Presentation on Artificial Intelligence
memembruh336
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

Are you botching the security of your AngularJS applications? (DevFest 2016)

  • 1. @PhilippeDeRyck ARE YOU BOTCHING THE SECURITY OF YOUR ANGULARJS APPLICATIONS? Philippe De Ryck DevFest 2016, Brussels, Belgium https://www.websec.be
  • 2. @PhilippeDeRyck WHAT IS THE BIGGEST THREAT TO AN ANGULARJS APPLICATION? DEVELOPERS (THAT ARE NOT SECURITY-AWARE)
  • 3. @PhilippeDeRyck KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS § My goal is to help you build secure web applications − In-house training programs at various companies − Hosted web security training courses at DistriNet (KU Leuven) − Talks at various developer conferences − Slides, videos and blog posts on https://www.websec.be § I have a broad security expertise, with a focus on Web Security − PhD in client-side web security − Main author of the Primer on client-side web security − Part of the organizing committee of the SecAppDev course § I’m also a chef, so demo’s will be food-related!
  • 4. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 

  • 5. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 
 https://www.youtube.com/watch?v=K0noqLisW_c
  • 6. @PhilippeDeRyck CROSS-SITE SCRIPTING (XSS) § In an XSS attack, malicious content is injected into your application’s pages − In the “original” XSS attacks, an attacker injected JavaScript code − Today, injected content can be JavaScript, CSS, HTML, SVG, 
 § The real problem is that injected content runs in your context − Complete access to your client-side data and code − Ability to use any permissions the user has granted to your application − The full power of XHR to contact your backend, in the name of the user § XSS attacks are very powerful, and unfortunately very common − XSS is ranked 3rd in the OWASP top 10 and 4th in the SANS top 25
  • 8. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code <div><h3> Your search for “<i>Crazy Cats<script>alert(“Miauw!”)</script></i>” returned 5 results </h3></div> <div><h3> Your search for “$query” returned $count results </h3></div>
  • 9. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data <div><h3> Your search for “encode($query)” returned $count results </h3></div>
  • 10. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data <div><h3> Your search for “<i>Crazy Cats&lt;script&gt;alert(“Miauw!”)&lt;/script&gt;</i> returned 5 results </h3></div>
  • 11. @PhilippeDeRyck HOW DO YOU PROTECT AGAINST XSS? § The root cause behind XSS is confusion between data and code − Untrusted data is mixed with trusted code, and sent to the browser − The browser will never know which part is data and which is code § The server needs to render the data harmless − By escaping “dangerous” parts in the data § The escaping process is context-sensitive − HTML body <h1>DATA</h1> − HTML attributes <div id=‘DATA’> − Stylesheet context body { background-color: DATA;} − Script context alert(“DATA”);
  • 12. @PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS <script src=“
/angular.js”></script> 
 <div><h3> Your search for “<i>encode($query)</i>” returned $count results </h3></div>
  • 13. @PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS § But is that even possible in an AngularJS environment? <div class=”ng-app”> {{constructor.constructor(‘alert(1)’)}} </div> <div class="ng-app"> <b class="ng-style: {x:constructor.constructor('alert(1)')()};" /> </div>
  • 14. @PhilippeDeRyck SO, WHAT’S THE DEAL WITH ANGULARJS? § AngularJS is often used as a library within traditional applications − The server builds an HTML page, including AngularJS templates − The server needs to render user-supplied data harmless to protect against XSS § But is that even possible in an AngularJS environment? − No § AngularJS attempted to prevent this with the expression sandbox − Prevents direct access to global JavaScript functionality − Impossible to lock down completely, so only available in AngularJS 1.2 - 1.6 − Angular2 offers offline template compilation
  • 15. @PhilippeDeRyck RULE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA ON THE SERVER Provide the data separately to the client-side AngularJS application
  • 16. @PhilippeDeRyck AND WHAT IF WE DO IT THE ANGULAR WAY? § Remember the confusion between data and code? − Templates and JavaScript code are considered the application’s code − Data fetched from APIs is considered data § AngularJS knows which parts are untrusted − And automatically applies Strict Contextual Escaping (SCE) − SCE applies to all data bindings with ng-bind or {{ }} − SCE is on-by-default since version 1.2 § But what if we actually want to allow some HTML in the user’s data?
  • 19. @PhilippeDeRyck ALL IS GREAT 
 UNTIL YOU GET A CALL ONE EVENING What, no way! What happened? Did they steal our data? No, it’s worse! Much worse! They loaded the EmberJS library! We’ve been hacked! Then what?!
  • 20. @PhilippeDeRyck LET’S INVESTIGATE THE STACKOVERFLOW ADVICE 
 https://docs.angularjs.org/api/ng/service/$sce https://docs.angularjs.org/error/$sce/unsafe
  • 21. @PhilippeDeRyck LETTING ANGULARJS 1.X DO THE WORK FOR YOU § Simple data will be encoded for the right context with SCE § AngularJS will not allow you to directly use untrusted data § Sanitizing untrusted data makes it safe to use § Static HTML snippets can be marked as safe if absolutely necessary <p>{{var}}</p>var = “test<script>alert(1)</script>” <p ng-bind-html=“var”></p><input ng-model=“var” /> <input ng-model=“var” /> angular.module(“
”, [‘ngSanitize’] <p ng-bind-html=“var”></p> <p ng-bind-html=“var”></p>var = $sce.trustAsHtml(“<b>test</b>)”
  • 22. @PhilippeDeRyck AND IT’S EVEN BETTER IN ANGULARJS 2.X § All data is sanitized by default § Static HTML snippets can be marked as safe if absolutely necessary <input ng-model=“var” /> <p>{{var}}</p> <p>{{var}}</p>var = domSanitizer.bypassSecurityTrustHtml(“<b>test</b>)”
  • 24. @PhilippeDeRyck RULE #2 DO NOT MARK UNTRUSTED DATA AS SAFE Use the built-in sanitizer to remove dangerous features from the untrusted data
  • 25. @PhilippeDeRyck XSS VULNERABILITIES WILL POP UP EVENTUALLY § You can deploy a second line of defense with Content Security Policy − Server-driven browser-enforced security policy − In case there is an XSS attack, the script will be severely constrained or even blocked − CSP evolved to an extensive and powerful browser security policy § CSP locks down what can happen in a web page − Refuses to execute inline script and style − Only loads external resources if they are explicitly whitelisted § CSP has severe incompatibility problems with traditional web applications − But is easy to deploy on an AngularJS application
  • 26. @PhilippeDeRyck A QUICK OVERVIEW OF CSP’S DIRECTIVES § CSP has directives for all kinds of resources − default-src applies to any resource, if there’s no more specific directive − img-src, script-src, style-src, 
 § A directive can have numerous valid values − Keywords: ‘none’, ‘self’, * − Expressions: https://websec.be, https:, https://websec.be/jquery.js, *.websec.be § If absolutely necessary, you can re-enable inline scripts, styles and eval − By adding the ‘unsafe-inline’ or ‘unsafe-eval’ keywords to the directives
  • 27. @PhilippeDeRyck BROWSER SUPPORT FOR CSP LEVEL 1 IS AWESOME http://caniuse.com/#search=csp
  • 28. @PhilippeDeRyck WRITING SANE CSP POLICIES § Deploy CSP using the Content-Security-Policy response header − <meta> tags are a good alternative if headers are too difficult to use § Make your policy as secure as possible − Avoid ‘unsafe-inline’ and ‘unsafe-eval’ , especially for scripts − Be specific about which files you want to include to avoid bypass attacks − Define all important directives to avoid override attacks with <meta> tags § Use available tools and features to make your life easier − Google’s CSP Evaluator − Report-uri.io for policy generation & report collection https://csp-evaluator.withgoogle.com/ https://report-uri.io/
  • 29. @PhilippeDeRyck RULE #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP Make sure your apps are compatible, and lock down your CSP policy
  • 30. @PhilippeDeRyck THE FOCUS HERE TODAY WAS PURELY ON ANGULARJS § But there’s a lot more to building a secure application − The web has evolved a lot in the last few years − Plenty of new threats, but also plenty of new security technologies § Essential security principles to apply to your AngularJS applications − Deploy your applications over HTTPS − Use strong authentication mechanisms − Perform access control in the right places, with the right data − Protect against common threats against session management
  • 31. @PhilippeDeRyck ADDITIONAL INFORMATION § I’m running a 2-day web security course on December 6 and 7 − Information and registration on https://essentials.websec.be § https://www.websec.be contains a lot of information about web security − The slides for this talk will be available there − Slide decks, videos and blog posts about various security topics − Subscribe to the mailing list to stay up to date § Feel free to contact me with feedback, questions, or speaking invitations [email protected] /in/philippederyck
  • 32. @PhilippeDeRyck THE RULES OF ANGULARJS SECURITY #3 DO NOT IGNORE THE TREMENDOUS POWER OF CSP #2 DO NOT MARK UNTRUSTED DATA AS SAFE #1 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA #0 YOU TELL ALL YOUR FRIENDS ABOUT THESE RULES!