Google built AngularJS to be secure by default, but does it work as advertised?
In each part of this upcoming series, we’ll break down:
The goal is simple: to help developers better understand Angular and embrace the practice of writing more secure code.
AngularJS takes care of us. All of the framework’s security features are turned on out-of-the-box. Perfect, right?
Not so fast. You may be wondering why we even need to talk about AngularJS security at all if it works?
The fact of the matter is that building a security framework that is secure and, at the same time, functional and flexible enough for any application is hard. Concessions are inevitable.
As developers, we’re responsible for understanding the frameworks we use. This isn’t limited to executing complex tasks for doing things quickly–application security also falls on our shoulders.
Before we dive into more detail, let’s take a minute to address the elephant in the room.
You’re probably wondering why we’re focusing on AngularJS 1.x security instead of the newer, sexier Angular 2. Simply put, there are numerous breaking changes between the many versions of AngularJS 1.x that make upgrading to a new version difficult.
If a company adopted AngularJS early in its development, say version 1.1, it would have a tough time upgrading to version 1.2.x or beyond. Application code needs to be changed or in some cases even re-architected to accommodate the breaking changes introduced in the higher versions of AngularJS.
|Site Name||Current AngularJS Version|
|angularJS.org||1.5.7* (oddly enough the angular.io site is using an older version 1.4.8)|
Migrating from older to newer AngularJS versions is difficult enough that the folks at Angular provide some help, describing the process to upgrade from one AngularJS version to the next.
For those of you that have already built websites with older versions of AngularJS and may not be able to upgrade, at least for the moment, this series will teach you how to make your code even stronger.
If you are just beginning to build a brand new site, you’ll learn the importance of using the latest version of AngularJS (1.5.8 at the time of this writing) and how to make the framework itself more secure.
In this series we’re going to make a few assumptions:
We discuss various vulnerabilities and potential vulnerabilities that may crop up in your application. We don’t want to just cover the simple stuff, we’ll also dip into the esoteric.
To do this, we’ve broken AngularJS into its constituent components to examine each in light of what types of vulnerabilities can be applied to them. In the first post, AngularJS security series part 1: Angular $http service, we examine CSRF and JSON pitfalls within the Angular Module, the basic building block of AngularJS applications.
Steve Teilhet is a senior research engineer at Synopsys. He is an author, speaker, and security researcher. Steve has been working in the security field for the last 14 years, primarily in application security. He uses his knowledge for developing both static and dynamic analysis security tools as well as helping others secure their applications’ code. His research spans many areas of application security including client-side, mobile, and server-side. While AppSec keeps him busy, Steve has also written several books. His latest, “C# 6.0 Cookbook,” was published last year through O’Reilly Media Inc.