close search bar

Sorry, not available in this language yet

close language selection

AngularJS is secure by default, right? Not so fast.

AngularJS Is Secure by Default, Right?

AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. While Angular adds much-needed features to the language, it also creates a handful of new problems for developers. Due to this, I’ve teamed up with Lewis Ardern to pose a simple question with a not-so-simple answer:

Google built AngularJS to be secure by default, but does it work as advertised?

In each part of this upcoming series, we’ll break down:

  • A specific facet of Angular
  • Known security pitfalls
  • Actionable advice to help you write safe code

The goal is simple: to help developers better understand Angular and embrace the practice of writing more secure code.

Angular and developer-driven security

AngularJS takes care of us. All of the framework’s security features are turned on out-of-the-box. Perfect, right?

Not so fast. You may be wondering why we even need to talk about AngularJS security at all if it works?

The fact of the matter is that building a security framework that is secure and, at the same time, functional and flexible enough for any application is hard. Concessions are inevitable.

As developers, we’re responsible for understanding the frameworks we use. This isn’t limited to executing complex tasks for doing things quickly–application security also falls on our shoulders.

Before we dive into more detail, let’s take a minute to address the elephant in the room.

I’ve had the old bull, now I want the young calf

You’re probably wondering why we’re focusing on AngularJS 1.x security instead of the newer, sexier Angular 2. Simply put, there are numerous breaking changes between the many versions of AngularJS 1.x that make upgrading to a new version difficult.

If a company adopted AngularJS early in its development, say version 1.1, it would have a tough time upgrading to version 1.2.x or beyond. Application code needs to be changed or in some cases even re-architected to accommodate the breaking changes introduced in the higher versions of AngularJS.

We can see that many applications have stopped upgrading their AngularJS version in production applications to avoid these drastic changes. For example:
Site Name Current AngularJS Version 1.2.28 1.3.16 1.3.15 1.2.26 1.5.7* (oddly enough the site is using an older version 1.4.8)

Migrating from older to newer AngularJS versions is difficult enough that the folks at Angular provide some help, describing the process to upgrade from one AngularJS version to the next.

How will Angular make me a better developer?

For those of you that have already built websites with older versions of AngularJS and may not be able to upgrade, at least for the moment, this series will teach you how to make your code even stronger.

If you are just beginning to build a brand new site, you’ll learn the importance of using the latest version of AngularJS (1.5.8 at the time of this writing) and how to make the framework itself more secure.

In this series we’re going to make a few assumptions:

  • You’ve already decided to use AngularJS or are currently reviewing it for an upcoming project.
  • You’ve done your homework. We won’t be re-hashing the beauty and robustness of the framework nor will we extol its pros and cons. Besides, there are plenty of Angular blogs and articles to read that either applaud or decry this framework.
  • You know Angular’s components and can Google anything that seems unfamiliar. There will be plenty of guidance, but no hand holding.

We discuss various vulnerabilities and potential vulnerabilities that may crop up in your application. We don’t want to just cover the simple stuff, we’ll also dip into the esoteric.

To do this, we’ve broken AngularJS into its constituent components to examine each in light of what types of vulnerabilities can be applied to them. In the first post, AngularJS security series part 1: Angular $http service, we examine CSRF and JSON pitfalls within the Angular Module, the basic building block of AngularJS applications.

Get training in Securing AngularJS

Steve Teilhet

Posted by

Steve Teilhet

Steve Teilhet

Steve Teilhet is a senior research engineer at Synopsys. He is an author, speaker, and security researcher. Steve has been working in the security field for the last 14 years, primarily in application security. He uses his knowledge for developing both static and dynamic analysis security tools as well as helping others secure their applications’ code. His research spans many areas of application security including client-side, mobile, and server-side. While AppSec keeps him busy, Steve has also written several books. His latest, “C# 6.0 Cookbook,” was published last year through O’Reilly Media Inc.

More from Building secure software