Skip to content

Latest commit

 

History

History
135 lines (104 loc) · 9.82 KB

mitigations.md

File metadata and controls

135 lines (104 loc) · 9.82 KB

Mitigation Strategies Analysis for angular/angular.js

Mitigation Strategy: Strict Contextual Escaping (SCE) and Sanitization (AngularJS-Specific)

  • Description:

    1. Identify all AngularJS interpolation points: Locate all instances in your templates using double curly braces {{ }} or AngularJS directives like ng-bind, ng-bind-html, ng-include, ng-src, ng-href, etc.
    2. Categorize data sources: Determine if the data is user input, API data, or hardcoded.
    3. Apply appropriate $sce methods:
      • Use $sce.trustAsHtml(), $sce.trustAsUrl(), $sce.trustAsJs() only when absolutely necessary and with thoroughly validated, trusted input. Prioritize built-in directives.
      • Prefer ng-bind (for plain text) or ng-bind-html (for HTML, with sanitization) over direct interpolation or DOM manipulation.
    4. Implement a sanitization library (DOMPurify) within an AngularJS service or filter:
      • Create an AngularJS filter: 
        angular.module('myApp').filter('sanitizeHtml', ['$sce', function($sce) {
    return function(input) {
        return $sce.trustAsHtml(DOMPurify.sanitize(input));
    };            }]);
      • Use the filter with ng-bind-html: <div ng-bind-html="myUntrustedHtml | sanitizeHtml"></div>
    5. Configure a whitelist within the AngularJS filter: Configure DOMPurify to allow only specific HTML tags and attributes. Example: 
      DOMPurify.sanitize(input, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
    ALLOWED_ATTR: ['href', 'title']
});
    6. Regularly review AngularJS code: Periodically review all uses of $sce and sanitization within your AngularJS components and services.
    7. Avoid ng-bind-html-unsafe: Remove or refactor any instances of this directive within your AngularJS application.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) via AngularJS Expressions (CSTI): Severity: High. Exploits AngularJS's expression evaluation to inject malicious scripts.
    • AngularJS Sandbox Escapes (related to XSS): Severity: High. Bypasses the AngularJS sandbox to execute arbitrary code.

  • Impact:

    • XSS: Reduces XSS risk significantly (High to Low/Medium).
    • Sandbox Escapes: Reduces impact of escapes (High to Medium).

  • Currently Implemented: [Example: Implemented in the AngularJS productDetail component using the sanitizeHtml filter. $sce is used correctly in the AngularJS userProfile service.]

  • Missing Implementation: [Example: Missing in the AngularJS blogComments component. Also missing in the AngularJS adminDashboard where API data is rendered without sanitization.]

Mitigation Strategy: Avoid Dynamic Template Compilation with User Input (AngularJS $compile)

  • Description:

    1. Identify uses of $compile in AngularJS code: Search your AngularJS codebase for all instances of $compile.
    2. Analyze the template source: Determine where the template string passed to $compile originates.
    3. Refactor if necessary (AngularJS-specific):
      • If the template string includes any user input, refactor the AngularJS code to avoid $compile.
      • Use AngularJS directives, components, or ng-include with static templates instead.
      • If dynamic templates are essential, ensure the template structure is hardcoded and only data within the template is dynamic (and properly sanitized using AngularJS's $sce and a sanitizer).

  • Threats Mitigated:

    • Cross-Site Scripting (XSS) via AngularJS Expressions (CSTI): Severity: High. Dynamic template compilation with user input is extremely dangerous.
    • AngularJS Sandbox Escapes: Severity: High. Increases the attack surface.

  • Impact:

    • XSS: Eliminates risk from this vector (High to None).
    • Sandbox Escapes: Reduces likelihood (High to Medium).

  • Currently Implemented: [Example: Removed all uses of $compile with user input in AngularJS code. $compile is only used for a trusted internal AngularJS template.]

  • Missing Implementation: [Example: None. Policy against using $compile with user input in AngularJS.]

Mitigation Strategy: Prototype Pollution Prevention (AngularJS-Specific Considerations)

  • Description:

    1. Identify Object Modification in AngularJS: Locate areas where objects are created, modified, or merged, especially involving user input or data binding in AngularJS.
    2. Freeze/Seal Critical AngularJS Objects: Use Object.freeze() or Object.seal() on objects that should not be tampered with, particularly after they are passed to AngularJS's data binding system.
    3. Validate and Sanitize Input (AngularJS Context): Before using user input to create or modify objects that will be used with AngularJS's data binding, validate and sanitize.
    4. Safe Object Merging (AngularJS-Specific):
      • Avoid using angular.extend() or angular.copy() directly with untrusted data that will be used in AngularJS's data binding.
      • If merging is necessary within AngularJS, use a safe deep-merge function or implement a custom deep-copy function that explicitly avoids modifying the prototype.
    5. Review Third-Party AngularJS Libraries: Examine any third-party AngularJS libraries for potential prototype pollution vulnerabilities.

  • Threats Mitigated:

    • Prototype Pollution: Severity: Medium to High. Can lead to DoS, unexpected behavior, or potentially RCE.

  • Impact:

    • Prototype Pollution: Significantly reduces risk (Medium/High to Low).

  • Currently Implemented: [Example: Object.freeze() is used on the AngularJS application configuration object. We use a custom deep-copy function.]

  • Missing Implementation: [Example: Review the AngularJS userData service, where user profile data is merged. Implement a safe merge function.]

Mitigation Strategy: Denial of Service (DoS) Prevention via Digest Cycle Optimization (AngularJS-Specific)

  • Description:

    1. Profile your AngularJS application: Use Batarang or browser tools to identify digest cycle bottlenecks.
    2. Minimize AngularJS watchers:
      • Use one-time binding (::) for data that doesn't change.
      • Avoid watchers on $rootScope whenever possible.
      • Use track by with ng-repeat in AngularJS templates.
      • Consolidate AngularJS watchers.
    3. Debounce/Throttle user input (AngularJS context):
      • Use Lodash/Underscore (or similar) to debounce/throttle functions triggered by frequent user events that interact with AngularJS's scope.
    4. Optimize ng-repeat (AngularJS-Specific):
      • Use track by to help AngularJS efficiently identify changes.
      • Avoid complex expressions within ng-repeat.
      • Consider pagination/infinite scrolling for large lists managed by AngularJS.

  • Threats Mitigated:

    • Denial of Service (DoS) via Digest Cycle Manipulation: Severity: Medium. Attackers can trigger excessive AngularJS digest cycles.

  • Impact:

    • DoS: Reduces likelihood of DoS (Medium to Low).

  • Currently Implemented: [Example: We use one-time binding. track by is used in all AngularJS ng-repeat directives.]

  • Missing Implementation: [Example: Implement debouncing on the search input in the AngularJS productSearch component. Review watchers in the AngularJS orderHistory component.]

Mitigation Strategy: Secure use of $http and $resource (AngularJS-Specific)

  • Description:

    1. Input Validation (AngularJS Context): Validate all data received from the server before using it within AngularJS's scope or templates.
    2. Sanitization (AngularJS Context): Sanitize any HTML or JavaScript received from the server before rendering it, using AngularJS's $sce and a sanitizer like DOMPurify (as described in the first mitigation strategy).
    3. Correct HTTP Methods: Use appropriate HTTP methods (GET, POST, PUT, DELETE) as intended.
    4. CSRF Protection (AngularJS-Specific):
      • Ensure AngularJS's built-in CSRF protection is enabled. Configure $httpProvider.defaults.xsrfCookieName and $httpProvider.defaults.xsrfHeaderName.
      • The server should generate a CSRF token and include it in a cookie.
      • AngularJS will automatically include this token in request headers.
      • The server should validate the token.
    5. Avoid JSONP (AngularJS Context): Avoid using JSONP with AngularJS if possible. If necessary, ensure the source is absolutely trusted and validate the response carefully. Consider CORS instead.

  • Threats Mitigated:

    • Cross-Site Scripting (XSS): Severity: High.
    • Cross-Site Request Forgery (CSRF): Severity: High.

  • Impact:

    • XSS: Reduces XSS risk (High to Low/Medium).
    • CSRF: Eliminates CSRF risk (High to None).

  • Currently Implemented: [Example: CSRF protection is enabled and configured in AngularJS. We validate data types on the server.]

  • Missing Implementation: [Example: Implement client-side sanitization of server responses in the AngularJS blogComments component. Review JSONP use in the AngularJS legacyData service.]