Hitachi Vantara Pentaho Community Wiki
Child pages
  • AngularJS Security
Skip to end of metadata
Go to start of metadata

AngularJS security can be difficult to implement, watch some of the caveats of implementing security.

Videos

These talks are very informative and would give an idea of the challenges involved in securing AngularJS:

NG-OWASP Top 10 for AngularJS Applications by by Kevin Hakanson

An Abusive Relationship with AngularJS by Mario Heiderich

Access Control Issues:

An excerpt from https://docs.angularjs.org/guide/security:

"If an attacker has access to control Angular templates or expressions, they can exploit an Angular application via an XSS attack, regardless of the version.

There are a number of ways that templates and expressions can be controlled:

  • Generating Angular templates on the server containing user-provided content. This is the most common pitfall where you are generating HTML via some server-side engine such as PHP, Java or ASP.NET.
  • Passing an expression generated from user-provided content in calls to the following methods on a scope:
    • $watch(userContent, ...)
    • $watchGroup(userContent, ...)
    • $watchCollection(userContent, ...)
    • $eval(userContent)
    • $evalAsync(userContent)
    • $apply(userContent)
    • $applyAsync(userContent)
  • Passing an expression generated from user-provided content in calls to services that parse expressions:
    • $compile(userContent)
    • $parse(userContent)
    • $interpolate(userContent)
  • Passing an expression generated from user provided content as a predicate to orderBy pipe: value | orderBy : userContent "

Reference

https://docs.angularjs.org/guide/security

  • No labels