- Description: An attacker injects malicious AngularJS expressions into user-controlled data that is then rendered by AngularJS templates. By crafting specific payloads within user inputs, the attacker can execute arbitrary JavaScript code within the victim's browser when the template is processed due to AngularJS's expression evaluation within data binding.
- Impact: Cross-Site Scripting (XSS). This can lead to account takeover, data theft, malware distribution, and defacement.
- AngularJS Component Affected:
- Templates (
{{ ... }}) - Data Binding
- Expressions
- Templates (
- Risk Severity: Critical
- Mitigation Strategies:
- Strict Contextual Escaping (SCE): Enable and utilize AngularJS's SCE service to sanitize and escape data before rendering it in templates.
- Sanitize User Input: Thoroughly sanitize all user-provided data on both client-side and server-side before using it in AngularJS templates.
- Avoid
ng-bind-html: Minimize or eliminate the use ofng-bind-htmland similar directives that render raw HTML. If necessary, use a trusted HTML sanitization library. - Content Security Policy (CSP): Implement a strict CSP to limit the sources of executable code and restrict JavaScript capabilities.
Threat: AngularJS Expression Injection
- Description: An attacker injects malicious AngularJS expressions into user input that is directly evaluated using AngularJS services like
$parseor$eval. By providing crafted strings as input, the attacker can force AngularJS to execute arbitrary JavaScript code within the application's context. - Impact: Remote Code Execution (within the browser). Similar impacts to CSTI, including account takeover, data theft, malware distribution, and defacement.
- AngularJS Component Affected:
$parseservice$evalservice- Expressions
- Risk Severity: Critical
- Mitigation Strategies:
- Avoid
$evaland$parsewith User Input: Never directly pass user-controlled strings to$evalor$parsefor expression evaluation. - Input Validation and Sanitization: If dynamic expression evaluation is unavoidable, rigorously validate and sanitize user input to remove or neutralize potentially malicious expressions.
- Restrict Expression Language: Consider using a more restricted or sandboxed expression language if dynamic evaluation is required.
- Principle of Least Privilege: Design application logic to minimize or eliminate the need for dynamic expression evaluation based on user input.
- Avoid
- Description: Custom AngularJS directives and components can contain security vulnerabilities if not developed with security in mind. These vulnerabilities can include XSS within directive templates, or logic flaws in controllers that can be exploited. Attackers can exploit these vulnerabilities by interacting with the vulnerable directives or components in a malicious way.
- Impact:
- Cross-Site Scripting (XSS) if templates are vulnerable.
- Logic flaws leading to unauthorized actions or information disclosure.
- AngularJS Component Affected:
- Custom Directives
- Custom Components (if applicable in AngularJS 1.x context)
- Directive Templates
- Directive Controllers
- Risk Severity: High (can be critical depending on the vulnerability and directive functionality)
- Mitigation Strategies:
- Secure Coding Practices for Directives: Follow secure coding guidelines when developing custom directives and components, including input validation, output encoding, and secure state management.
- Security Reviews and Testing: Conduct regular security reviews and penetration testing specifically targeting custom directives and components.
- Code Reviews: Implement mandatory code reviews for all custom directive and component code.
- Component Libraries from Trusted Sources: If using external directive/component libraries, choose them from reputable and actively maintained sources, and review their code for potential vulnerabilities.