SECURITY TIPS FOR ANGULAR.JS APPLICATION DEVELOPER
WHAT IS ANGULAR.JS?Angular.js is an application name estranged into two parts Angular and .JS. Angular defined as the significant meaning of having one or more angles. As well, .js is an extension name of JavaScript, the platform for this framework. It is built on the belief that declarative programming should be used to create user interfaces and connect software components, while imperative programming is better suited to define an application’s business logic
WHY ANGULAR.JS?
Angular.js is used to create a front-end web application framework or RIA (Rich Internet Application). It is the Open source and has some most important core features. Also, it aims to simplify both the development and the testing of such applications by providing a framework for client-side Model View Controller (MVC) and Model View View Model (MVVM) architecture. As we are going to develop web-based applications using AngularJS, it will be good if you have a basic understanding of other web technologies such as HTML, CSS, AJAX, etc.
Following are the most important core features of AngularJS 
A single-page application (SPA) is a web application or website that interacts with the handler by dynamically altering the current page rather than loading entire new pages from a server. This methodology avoids disruption of the user experience between uninterrupted pages, making the application behave more like a desktop application.
Angular.js is used to create a front-end web application framework or RIA (Rich Internet Application). It is the Open source and has some most important core features. Also, it aims to simplify both the development and the testing of such applications by providing a framework for client-side Model View Controller (MVC) and Model View View Model (MVVM) architecture. As we are going to develop web-based applications using AngularJS, it will be good if you have a basic understanding of other web technologies such as HTML, CSS, AJAX, etc.
Following are the most important core features of AngularJS
A single-page application (SPA) is a web application or website that interacts with the handler by dynamically altering the current page rather than loading entire new pages from a server. This methodology avoids disruption of the user experience between uninterrupted pages, making the application behave more like a desktop application.
THE SCOPE OF ANGULAR.JS SECURITY:
The angular route is a javascript code block. An Attacker can download and know that how your client side route is working. So, Angular app security scope always lies in client-side browser
We will see the vulnerabilities for software flaws and human source code (human errors) in angular.js
The angular route is a javascript code block. An Attacker can download and know that how your client side route is working. So, Angular app security scope always lies in client-side browser
We will see the vulnerabilities for software flaws and human source code (human errors) in angular.js
COMMON SECURITY ISSUES WITH ANGULAR JS:
Angular.js package affected some of the following most common vulnerabilities.
- JSONP Callback Attack
- Bypass Content Security Policy (CSP)
- Arbitrary Script Injection
- Cross Site Scripting (XSS)
- Clickjacking
- Arbitrary Code Execution
- Arbitrary Command Execution
- Unsafe Object Deserialization
- Protection Bypass
Angular.js package affected some of the following most common vulnerabilities.
- JSONP Callback Attack
- Bypass Content Security Policy (CSP)
- Arbitrary Script Injection
- Cross Site Scripting (XSS)
- Clickjacking
- Arbitrary Code Execution
- Arbitrary Command Execution
- Unsafe Object Deserialization
- Protection Bypass
JSONP CALLBACK ATTACK:
- JSONP (JSON with padding) is a method used to request data from a server residing in a different domain than the client.
- Any URL could perform JSONP requests, allowing full access to the browser and the JavaScript context. This can lead to Cross-site Scripting.
- JSONP (JSON with padding) is a method used to request data from a server residing in a different domain than the client.
- Any URL could perform JSONP requests, allowing full access to the browser and the JavaScript context. This can lead to Cross-site Scripting.
BYPASS CONTENT SECURITY POLICY (CSP):
Extension URIs (resource://…) bypass Content-Security-Policy in Chrome and Firefox can always be loaded. Now if a site already has an XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular’s Auto-bootstrapping can be used to bypass the victim site’s CSP protection.
Extension URIs (resource://…) bypass Content-Security-Policy in Chrome and Firefox can always be loaded. Now if a site already has an XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular’s Auto-bootstrapping can be used to bypass the victim site’s CSP protection.
ARBITRARY SCRIPT INJECTION:
- AngularJS is affected Arbitrary Script Injection, link[href] attributes were not protected via $sce, which prevents interpolated values that fail the RESOURCE_URL context tests from being used in the interpolation. For example, if the application is running at https://docs.angularjs.org then the following will fail:
<link href="{{ 'http://mydomain.org/unsafe.css' }}" rel="stylesheet">
- By default, RESOURCE_URL safe URLs are only allowed from the same domain and protocol as the application document.
- AngularJS is affected Arbitrary Script Injection, link[href] attributes were not protected via $sce, which prevents interpolated values that fail the RESOURCE_URL context tests from being used in the interpolation. For example, if the application is running at https://docs.angularjs.org then the following will fail:
<link href="{{ 'http://mydomain.org/unsafe.css' }}" rel="stylesheet">
- By default, RESOURCE_URL safe URLs are only allowed from the same domain and protocol as the application document.
CROSS SITE SCRIPTING (XSS):
AngularJS is vulnerable to Cross-site Scripting (XSS) due to the usemap attribute not being blacklisted.
AngularJS is vulnerable to Cross-site Scripting (XSS) due to the usemap attribute not being blacklisted.
CLICKJACKING:
AngularJS is affected to clickjacking, By enabling the SVG setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized SVG elements could be positioned outside of the containing element and be rendered over other elements on the page (e.g. a login link). Such behavior can then result in phishing incidents.
To protect against these, explicitly setup overflow: hidden css rule for all potential SVG tags within the sanitized content:
.rootOfTheIncludedContent svg { overflow: hidden !important; }
AngularJS is affected to clickjacking, By enabling the SVG setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized SVG elements could be positioned outside of the containing element and be rendered over other elements on the page (e.g. a login link). Such behavior can then result in phishing incidents.
To protect against these, explicitly setup overflow: hidden css rule for all potential SVG tags within the sanitized content:
.rootOfTheIncludedContent svg { overflow: hidden !important; }
ARBITRARY CODE EXECUTION:
Angular is an open-source JavaScript framework, maintained by Google, that assists with running single-page applications with the goal of making development and testing easier by augmenting browser-based applications with model–view–controller (MVC) capability. Affected versions of the package are vulnerable to Arbitrary Code Execution via unsafe SVG animation tags.
Exploit Example:
<svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?">
<circle r="400"></circle>
<animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" />
</a>
</svg>
Here the anchor’s href is animated, starting from a value that’s a javascript URI. This allows execution of arbitrary javascript in the process. Preventing only the animation of links is tricky, as SVG is weird and namespaces aren’t predictable. The fix is to have the sanitizer filter out SVG animation tags instead.
Angular is an open-source JavaScript framework, maintained by Google, that assists with running single-page applications with the goal of making development and testing easier by augmenting browser-based applications with model–view–controller (MVC) capability. Affected versions of the package are vulnerable to Arbitrary Code Execution via unsafe SVG animation tags.
Exploit Example:
<svg> <a xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="?"> <circle r="400"></circle> <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" to="&" /> </a> </svg>
Here the anchor’s href is animated, starting from a value that’s a javascript URI. This allows execution of arbitrary javascript in the process. Preventing only the animation of links is tricky, as SVG is weird and namespaces aren’t predictable. The fix is to have the sanitizer filter out SVG animation tags instead.
ARBITRARY COMMAND EXECUTION:
One of the angularjs affected versions of the package is vulnerable to Arbitrary Command Injection due to the assignment functions accessing constructors functions, allowing attackers to execute their malicious code.
One of the angularjs affected versions of the package is vulnerable to Arbitrary Command Injection due to the assignment functions accessing constructors functions, allowing attackers to execute their malicious code.
UNSAFE OBJECT DESERIALIZATION:
AngularJs affected versions of the package are vulnerable to Unsafe Object Deserialization.
The exploitable code:
hasOwnProperty.constructor.prototype.valueOf = valueOf.call;
["a", "alert(1)"].sort(hasOwnProperty.constructor);
The exploit:
- sort takes a comparison function and passes it 2 parameters to compare.
- It then calls .valueOf() if the result is not a primitive.
- The Function object conveniently accepts two string arguments, it can be used to construct a function. However, this doesn’t do much unless it can be executed.
- The valueOf function on Function.prototype was set to Function.prototype.call. This causes the function constructed to be executed when sort calls .valueOf() on the result of the comparison.
AngularJs affected versions of the package are vulnerable to Unsafe Object Deserialization.
The exploitable code:
hasOwnProperty.constructor.prototype.valueOf = valueOf.call; ["a", "alert(1)"].sort(hasOwnProperty.constructor);
The exploit:
- sort takes a comparison function and passes it 2 parameters to compare.
- It then calls .valueOf() if the result is not a primitive.
- The Function object conveniently accepts two string arguments, it can be used to construct a function. However, this doesn’t do much unless it can be executed.
- The valueOf function on Function.prototype was set to Function.prototype.call. This causes the function constructed to be executed when sort calls .valueOf() on the result of the comparison.
PROTECTION BYPASS:
AngularJS affected version of the package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML
AngularJS affected version of the package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML
MITIGATING COMMON VULNERABILITIES IN ANGULAR JS:
- Updating the latest package version of AngularJS.
- Monthly checks the software updates for the future.
- Must install updates or upgrades the latest patches regularly.
- Also, check the Angular changelog for other security-related updates.
- Updating the latest package version of AngularJS.
- Monthly checks the software updates for the future.
- Must install updates or upgrades the latest patches regularly.
- Also, check the Angular changelog for other security-related updates.
VERSION:
The AngularJS is the concept of a component-based application architecture. As well as many developers believed and also it provided additional security, despite numerous vulnerabilities that had been discovered that bypassed the sandbox. So the current stable release of AngularJS is (1.6.6).
The AngularJS is the concept of a component-based application architecture. As well as many developers believed and also it provided additional security, despite numerous vulnerabilities that had been discovered that bypassed the sandbox. So the current stable release of AngularJS is (1.6.6).
INJECTION ATTACKS ON ANGULAR JS:
THE METHODOLOGY OF TEMPLATE INJECTION:
We have defined the following methodology to capture an efficient attack process, based on my experience auditing a range of vulnerable applications and template engines:
We have defined the following methodology to capture an efficient attack process, based on my experience auditing a range of vulnerable applications and template engines:
SERVER-SIDE TEMPLATE INJECTION:
- The server is a mechanism to store data and code. So, it must not generate templates based on user inputs and it allows users to inject template directives. It is implemented in the logic of Javascript.
- Template injection vulnerabilities can be very serious and can lead to complete compromise of the application’s data and functionality, and often of the server that is hosting the application.
- The server is a mechanism to store data and code. So, it must not generate templates based on user inputs and it allows users to inject template directives. It is implemented in the logic of Javascript.
- Template injection vulnerabilities can be very serious and can lead to complete compromise of the application’s data and functionality, and often of the server that is hosting the application.
IMPACT:
An attacker using malicious template directives may able to execute arbitrary code and take full control of the web server. Also, possible to use the server as a platform for further attacks against other systems.
An attacker using malicious template directives may able to execute arbitrary code and take full control of the web server. Also, possible to use the server as a platform for further attacks against other systems.
PREVENTION:
- It is recommended to define your Angular templates statically and populate your templates through data bindings on the client-side.
- Don’t dynamically generate angular templates on the server side.
- Templates should not be created from the user-controlled User input should be passed to the template using template parameters.
- It is recommended to define your Angular templates statically and populate your templates through data bindings on the client-side.
- Don’t dynamically generate angular templates on the server side.
- Templates should not be created from the user-controlled User input should be passed to the template using template parameters.
CLIENT-SIDE TEMPLATE INJECTION:
- When applications using a client-side template framework dynamically embed user input in web pages. When a web page is rendered. So that the framework will scan the page for template expressions, and execute any that it encounters.
- By using curly braces it’s possible to inject AngularJS expressions in the AngularJS client-side template that is being used by the application. These expressions will be evaluated on the client-side by AngularJS and when combined with a sandbox escape.
- When applications using a client-side template framework dynamically embed user input in web pages. When a web page is rendered. So that the framework will scan the page for template expressions, and execute any that it encounters.
- By using curly braces it’s possible to inject AngularJS expressions in the AngularJS client-side template that is being used by the application. These expressions will be evaluated on the client-side by AngularJS and when combined with a sandbox escape.
IMPACT:
- An attacker can exploit this by supplying a malicious template expression that launches a cross-site scripting (XSS) attack. As with normal cross-site scripting, the attacker-supplied code can perform a wide variety of actions, such as stealing the victim’s session token or login credentials, performing arbitrary actions on the victim’s behalf, and logging their keystrokes.
- Client-side template frameworks often implement a sandbox aimed at hindering the direct execution of arbitrary JavaScript from within a template expression. However, these sandboxes are not intended to be a security control and can normally be bypassed.
- An attacker can exploit this by supplying a malicious template expression that launches a cross-site scripting (XSS) attack. As with normal cross-site scripting, the attacker-supplied code can perform a wide variety of actions, such as stealing the victim’s session token or login credentials, performing arbitrary actions on the victim’s behalf, and logging their keystrokes.
- Client-side template frameworks often implement a sandbox aimed at hindering the direct execution of arbitrary JavaScript from within a template expression. However, these sandboxes are not intended to be a security control and can normally be bypassed.
PREVENTION:
- avoid using server-side code to dynamically embed user input into client-side templates. If this is not practical, consider filtering out template expression syntax from user input prior to embedding it within client-side templates.
- HTML-encoding is not sufficient to prevent client-side template injection attacks because frameworks perform an HTML-decode of relevant content prior to locating and executing template expressions.
- It recommends to treat either curly braces in user input as highly dangerous or avoid server-side reflection of user input entirely.
- avoid using server-side code to dynamically embed user input into client-side templates. If this is not practical, consider filtering out template expression syntax from user input prior to embedding it within client-side templates.
- HTML-encoding is not sufficient to prevent client-side template injection attacks because frameworks perform an HTML-decode of relevant content prior to locating and executing template expressions.
- It recommends to treat either curly braces in user input as highly dangerous or avoid server-side reflection of user input entirely.
BEST PRACTICES FOR SECURING ANGULARJS :
- JSON vulnerability allows third-party website to turn your JSON resource URL into JSONP request under some conditions. It is recommended to prefix all JSON requests with the following string “)]}’,\n”. Angular will automatically strip the prefix before processing it as JSON.
- Angular provides a mechanism to prevent XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF – TOKEN) and sets it as an HTTP header (X – XSRF – TOKEN). The header will not be set for Cross-domain
- The HTML compiler will escape all {{}} & ng-bind by default. So you must include user-generated HTML. (e.g) rich text editors. Take advantage of the services and directives. ng-bind-HTMLhtml (from angular-sanitize)
- Print as is removing “script” tags (beware of img tags). Fully customizable with $sceProvider & $SanitizeProvider.
- It is possible to browser-based MITM( Man-In-The-Middle) attack. The same attacker can put arbitrary code execution in your browser. So ensures HTTPS Everywhere.
- Avoid using Allow-Origin “*”, Unless you have very strong authentication and authorization.
- The SPA authorization is still up to the server to see the below rules are as follows. Also, it is applied to input validation.
- Examining the authentication state
- Examining profile and inferring permissions
- Enabling Privileged actions
- Filtering confidential data
- The code which actually runs in our application is libraries and components. So check dependencies for both client and server vulnerabilities. CONTENT SECURITY POLICY:
- JSON vulnerability allows third-party website to turn your JSON resource URL into JSONP request under some conditions. It is recommended to prefix all JSON requests with the following string “)]}’,\n”. Angular will automatically strip the prefix before processing it as JSON.
- Angular provides a mechanism to prevent XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF – TOKEN) and sets it as an HTTP header (X – XSRF – TOKEN). The header will not be set for Cross-domain
- The HTML compiler will escape all {{}} & ng-bind by default. So you must include user-generated HTML. (e.g) rich text editors. Take advantage of the services and directives. ng-bind-HTMLhtml (from angular-sanitize)
- Print as is removing “script” tags (beware of img tags). Fully customizable with $sceProvider & $SanitizeProvider.
- It is possible to browser-based MITM( Man-In-The-Middle) attack. The same attacker can put arbitrary code execution in your browser. So ensures HTTPS Everywhere.
- Avoid using Allow-Origin “*”, Unless you have very strong authentication and authorization.
- The SPA authorization is still up to the server to see the below rules are as follows. Also, it is applied to input validation.
- Examining the authentication state
- Examining profile and inferring permissions
- Enabling Privileged actions
- Filtering confidential data
- The code which actually runs in our application is libraries and components. So check dependencies for both client and server vulnerabilities. CONTENT SECURITY POLICY:
Content Security Policy (CSP) is an additional layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. The browsers also support for Content Security Policy (CSP).
Angular js Emerged as one of the most powerful platform has the ability to streamline the development process and make more responsive web applications. With the popularity these frameworks comes the confusion about the security issues making the application vulnerable.
We BriskInfosec Solution are providing various security and penetration services for safe guarding your business
Content Security Policy (CSP) is an additional layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. The browsers also support for Content Security Policy (CSP).
Angular js Emerged as one of the most powerful platform has the ability to streamline the development process and make more responsive web applications. With the popularity these frameworks comes the confusion about the security issues making the application vulnerable.
We BriskInfosec Solution are providing various security and penetration services for safe guarding your business
Posts
