AngularJS Security
- Former user (Deleted)
Owned by Former user (Deleted)
AngularJS security can be difficult to implement, watch some of the caveats of implementing security.
Videos
These talks are very informative and would give an idea of the challenges involved in securing AngularJS:
NG-OWASP Top 10 for AngularJS Applications by by Kevin Hakanson
An Abusive Relationship with AngularJS by Mario Heiderich
Access Control Issues:
An excerpt from https://docs.angularjs.org/guide/security:
"If an attacker has access to control Angular templates or expressions, they can exploit an Angular application via an XSS attack, regardless of the version.
There are a number of ways that templates and expressions can be controlled:
- Generating Angular templates on the server containing user-provided content. This is the most common pitfall where you are generating HTML via some server-side engine such as PHP, Java or ASP.NET.
- Passing an expression generated from user-provided content in calls to the following methods on a scope:
- $watch(userContent, ...)
- $watchGroup(userContent, ...)
- $watchCollection(userContent, ...)
- $eval(userContent)
- $evalAsync(userContent)
- $apply(userContent)
- $applyAsync(userContent)
- Passing an expression generated from user-provided content in calls to services that parse expressions:
- $compile(userContent)
- $parse(userContent)
- $interpolate(userContent)
- Passing an expression generated from user provided content as a predicate to orderBy pipe:
value | orderBy : userContent"