Securing AngularJS Applications

Securing AngularJS Applications

October 3, 2018
Profile Icon

Jason Franscisco

Programming securely is the most happening debated issue these days. The web developers/designers should be always on toes to act on the cyber-attacks and should be aware of expecting the security issues when building a web application. No matter, how robust the security walls are built; there is always a threat coming on its way behind the screens.

In such scenarios, AngularJS has been developed to take up the responsibility of addressing the major security vulnerabilities that can be expected on the Client side. On the other hand, it is not assured that AngularJS applications are impervious to security vulnerabilities.

This blog helps you to understand better about the best practices we ought to follow as a primary concern while developing an AngularJS application so that we constrain the measure of security issues we may expect.

Try using the latest AngularJS version as long as it is possible?

  • We all know the importance of staying updated and using the latest version of any software library and AngularJS is no different.
  • It is always recommended to track the CHANGELOG and be aware of the bugs/vulnerabilities reported in the current version and perform a deep dive of the report to understand how it affects your application.
  • At the same time, you should always be ready to upgrade your system instantly when a secure and stable version/patch is released.
  • Security team at AngularJS strongly recommends not to modify the copy of AngularJS rather encourages them to share their Angular improvements with the community and make a pull request.

Angular Security Model to safeguard Cross-Site Scripting (XSS) attacks

  • By default, Angular treats all the user-inputs as untrusted when they are inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation and hence it sanitizes and escapes those values but by turning off the auto sanitization by Angular, we expose our application to high security risks which is strongly not recommended.
  • Applications must restrict the malicious inputs that an attacker can inject/embed into the source code of a template and hence recommends to never generate template source code by concatenating user input and templates and rather use an offline template compiler (as known as AOT-COMPILER) to safeguard against the Template Injection attacks.
  • If you are using the Angular CLI, it just takes 2 commands to enable AOT:

     ng build --aot
     ng serve --aot

Sanitization in AngularJS and providing security context

  • Angular sanitizes untrusted values for HTML, styles, and URLs but sanitizing the resource URLs (for example, in <script src>) is not possible as they contain arbitrary code and hence, it is recommended to implement a whitelist for all the resource URLs.
  • Angular recommends the programmers to avoid the direct interaction with the DOM and encourages using Angular templates wherever possible and for situations which are unavoidable, Angular also suggests to prefer the built-in Angular sanitization functions (sanitize method and the appropriate Security Context).

Below mentioned is the code declaring the sanitization providers in BrowserModule:

The skeleton of the class looks like this:

Angular proposes to enable the Content Security Policy (CSP) by configuring the web server to return an appropriate Content-Security-Policy HTTP header which safeguards against the XSS attacks.

Secure the application from Server-Side XSS attacks

  • HTML/templates constructed on the server side are vulnerable to injection attacks and hence, Angular recommends to use a templating language that automatically escapes/sanitizes the user-inputs/values to safeguard against the Server-Side XSS attacks

Be careful while trusting safe values

  • Angular has a built-in support which provides safeguard against the two common HTTP vulnerabilities, Cross-Site Request Forgery (CSRF or XSRF) and Cross-Site Script Inclusion (XSSI) which are mostly taken care on the server side. But, Angular guides the helpers to make the integration on the client side easier and recommends its implementation in the application to prevent such vulnerabilities.

Example implementation for trusting values using DomSanitizer:

Angular's HttpClient to prevent Cross-site script inclusion (XSSI)

  • Cross-Site Script Inclusion, also known as JSON vulnerability, allows the attacker to read data from a JSON API on older browsers by overriding native JavaScript object constructors, and then including an API URL using a  <script>  tag.
  • Angular's HttpClient library allows the servers to convert the JSON responses into non-executable by appending the string ")]}',\n". While parsing it recognizes this convention and automatically strips the string ")]}',\n" and thereby mitigates against the XSSI attacks.

Regular Auditing of Angular applications

  • Angular applications must be audited regularly to make sure that all the security principles are strictly adhered, and the application is safe and secure for the customer’s use, prior to a production release.

Credit: Harshal - Security Researcher

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Learn more
white arrow pointing top right

About Loginsoft

For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.

Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.

In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.

Interested to learn more? Let’s start a conversation.

Book a meeting


Latest Articles

Get practical solutions to real-world challenges, straight from experts who conquered them.

View all our articles

Sign up to our Newsletter