Vulnerabilities in angular js framework
What is angularjs ?
Angular JS is a framework by Google (originally developed by Misko Hevery and Adam Abrons) which helps us in building powerful Web Apps. It is a framework to build large scale and high performance web application while keeping them as easy-to-maintain.
Vulnerabilities in angular js
Security Policy (CSP) Bypass: Affected versions of the package are vulnerable to CSP Bypass. Extension URIs (resource://…) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular’s auto-bootstrapping can be used to bypass the victim site’s CSP protection.
Cross-site Scripting (XSS): angular is an HTML enhanced for web apps.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via ideographic space chararcters in URIs.
var innerHTML = h1.innerHTML;
h1.innerHTML = innerHTML;
The sanitizer contains a bit of code that triggers this mutation on an inert piece of DOM, before angular sanitizes it.
Cross-site Scripting (XSS): angularjs is a toolset for building the framework suited to your application development.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through SVG files if enableSvg is set.
• Use Angular, as it is a very secure framework:
– Contextually-aware encoding
– Strict contextual escaping
– CSP compatible
• Do not mix server-side and client-side templates
• Do not directly use user-input in expressions
• Check plugins for security issues and use the latest version
• Embrace the Angular Migration from 1 to 4.
At Valency Networks, we understand your web application and perform framework specific checks mentioned above. Our expertise in this matter enables us to be very accurate in terms of our vulnerability finding