Use of Angular JS and Cross Site Scripting
Publish date: Jun 19, 2019
Just because a team is using Angular JS doesn’t mean they are secure from XSS. In fact, adding Angular JS to a webpage where you were doing html escaping to avoid XSS, can result in becoming vulnerable to XSS!
Angular JS has removed sandboxing of expressions.
“In Angular 1.6 we removed this sandbox as developers kept relying upon it as a security feature even though it was always possible to access arbitrary JavaScript code if one could control the Angular templates or expressions of applications.”
Following are the known ways of shooting yourself in the foot when depending on Angular for displaying user input. https://docs.angularjs.org/guide/security
-
Generating Angular templates on the server containing user-provided content. This is the most common pitfall where you are generating HTML via some server-side engine such as PHP, Java or ASP.NET.
-
Passing an expression generated from user-provided content in calls to the following methods on a scope:
$watch(userContent, ...)$watchGroup(userContent, ...)$watchCollection(userContent, ...)$eval(userContent)$evalAsync(userContent)$apply(userContent)$applyAsync(userContent)
-
Passing an expression generated from user-provided content in calls to services that parse expressions:
$compile(userContent)$parse(userContent)$interpolate(userContent)
-
Passing an expression generated from user provided content as a predicate to orderBy pipe:
{{ value | orderBy : userContent }}
Examples of using angular JS expressions for XSS despite presence of html escaping: http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html
An example XSS input to try is:
{{x={'y':''.constructor.prototype};x['y'].charAt=[].join;$eval('x=alert(1)');}}