Are you botching the security of your AngularJS application?
-
Upload
philippe-de-ryck -
Category
Technology
-
view
59 -
download
2
Transcript of Are you botching the security of your AngularJS application?
![Page 1: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/1.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
ARE YOU BOTCHING THE SECURITY OFYOUR ANGULARJSAPPLICATION?
PhilippeDeRyck
![Page 2: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/2.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
IMAGINE AWORLD WITHOUT SECURITY PROBLEMS IN WEB APPLICATIONS …
Whatkindofworldwouldthatbe?
![Page 3: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/3.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
KNOWLEDGE IS THE KEY
Yetsecurityisoftenoverlooked
![Page 4: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/4.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
KNOWLEDGE IS KEY TO BUILDING SECURE APPLICATIONS
• Youdonotneedtobeasecurityexpert• ButyouneedtobeawareofthethreatsintheWeb
• Youwillwanttoapplyfundamentalsecurityprinciples
• Andfinally,youneedtoknowwhentocallasecurityexpert
• Byspreadingknowledge,Iwanttohelpyoubuildsecureapplications• Youwillbeabletoabsorblotsofknowledgeheretoday• Ifyouwantmore,contactmeaboutsecuritytraining
• Variousresourcesavailableonhttps://www.websec.be
• I’malsoachef,sothedemoswillmakeyou(evenmore)hungry!
![Page 5: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/5.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
CROSS-SITE SCRIPTING (XSS)
• AnXSSattackinjectsmaliciouscontentintoyourpages
• Inthe“original”XSSattacks,anattackerinjectedJavaScriptcode• Today,injectedcontentcanbeJavaScript,CSS,HTML,SVG,…
![Page 6: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/6.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
CROSS-SITE SCRIPTING (XSS)
• AnXSSattackinjectsmaliciouscontentintoyourpages
• Inthe“original”XSSattacks,anattackerinjectedJavaScriptcode• Today,injectedcontentcanbeJavaScript,CSS,HTML,SVG,…
• Therealproblemisthatinjectedcontentrunsinyourcontext• Completeaccesstoyourclient-sidedataandcode
• Abilitytouseanypermissionstheuserhasgrantedtoyourapplication
• ThefullpowerofXHRtocontactyourbackend,inthenameoftheuser
• XSSattacksareverypowerful,andunfortunatelyverycommon
• XSSisranked3rd intheOWASPtop10and4th
intheSANStop25
![Page 7: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/7.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
http://colesec.inventedtheinternet.com/beef-the-browser-exploitation-framework-project/
![Page 8: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/8.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
XSSVULNERABILITIES ARE NOT ONLY FOR CHUMPS
https://www.youtube.com/watch?v=K0noqLisW_chttp://motherboard.vice.com/read/tor-project-patches-cross-site-scripting-xss-bug-in-its-website
![Page 9: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/9.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
HOW DO YOU PROTECT AGAINST XSS?
• TherootcauseofXSSisconfusionbetweendataandcode• Browsergetsuntrusteddatamixedwithtrustedcode
• Thereisnowaytoknowwhichpartisdataandwhichiscode
<div><h3>Your search for “<i>Crazy Cats<script>alert(“Miauw!”)</script></i>”returned 5 results
</h3></div>
<div><h3>Your search for “$query” returned $count results
</h3></div>
![Page 10: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/10.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
HOW DO YOU PROTECT AGAINST XSS?
• TherootcauseofXSSisconfusionbetweendataandcode• Browsergetsuntrusteddatamixedwithtrustedcode
• Thereisnowaytoknowwhichpartisdataandwhichiscode
• Theserverneedstorenderthedataharmless
• Byescaping“dangerous”partsinthedata<div><h3>
Your search for “<i>Crazy Cats<script>alert(“Miauw!”)</script></i>
returned 5 results</h3></div>
![Page 11: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/11.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
ESCAPING OUTPUT TO PROTECT AGAINST XSS
• Escapingdangerouspartspreventsdatatobecomecode
• Serverdoesthisbeforesendingpagetothebrowser
• Theescapingprocessiscontext-sensitive• HTMLbody <h1>DATA</h1>
• HTMLattributes <div id=‘DATA’>
• Stylesheetcontext body { background-color: DATA;}
• Scriptcontext alert(“DATA”);• …
![Page 12: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/12.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
![Page 13: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/13.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
AND WHAT ABOUT XSSIN ANGULAR?
• Remembertheconfusionbetweendataandcode?
• TemplatesandJavaScriptcodeareconsideredtheapplication’scode• DatafetchedfromAPIsisconsidereddata
• AngularJSknowswhichpartsareuntrusted• AndautomaticallyappliesStrictContextualEscaping(SCE)• SCEappliestoalldatabindingswithng-bind or{{ }}• SCEison-by-defaultsinceversion1.2
• ButwhatifweactuallywanttoallowHTMLintheuser’sdata?
![Page 14: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/14.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
![Page 15: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/15.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
http://stackoverflow.com/questions/9381926/angularjs-insert-html-into-view/25513186#25513186
![Page 16: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/16.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
ALL IS GREAT …UNTIL YOU GET A CALL ONE EVENING
What,noway!Whathappened?Didtheystealourdata?
No,it’sworse!Muchworse!
TheyloadedEmberJS!
We’vebeenhacked!
Thenwhat?!
OH MY GOOOWD
![Page 17: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/17.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
LET’S INVESTIGATE THE STACKOVERFLOW ADVICE …
https://docs.angularjs.org/api/ng/service/$scehttps://docs.angularjs.org/error/$sce/unsafe
![Page 18: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/18.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
LETTING ANGULARJS1.X DO THE WORK FOR YOU
• SimpledatawillbeencodedfortherightcontextwithSCE
• AngularJSwillnotallowyoutodirectlyuseuntrusteddata
• Sanitizinguntrusteddatamakesitsafetouse
• StaticHTMLsnippetscanbemarkedassafeifabsolutelynecessary
<p>{{var}}</p>var = “test<script>alert(1)</script>”
<p ng-bind-html=“var”></p><input ng-model=“var” />
<input ng-model=“var” /> angular.module(“…”, [‘ngSanitize’]<p ng-bind-html=“var”></p>
<p ng-bind-html=“var”></p>var = $sce.trustAsHtml(“<b>test</b>)”
![Page 19: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/19.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
AND IT’S EVEN BETTER IN ANGULARJS2.X
• Alldataissanitizedbydefault
• StaticHTMLcanbemarkedsafeifabsolutelynecessary
<input ng-model=“var” /> <p>{{var}}</p>
<p>{{var}}</p>var = domSanitizer.bypassSecurityTrustHtml(“<b>test</b>)”)
![Page 20: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/20.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
http://stackoverflow.com/a/25513186
![Page 21: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/21.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
RULE#1
DO NOT MARK UNTRUSTED DATA AS SAFE
Usethebuilt-insanitizertoremovedangerousfeaturesfromtheuntrusteddata
![Page 22: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/22.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
MIXING ANGULARJS WITH TRADITIONAL APPLICATIONS
• AngularJSisoftenusedwithintraditionalapplications• TheserverbuildsanHTMLpage,usinguntrusteddata
• AngularJSisusedtosimplifyUIdevelopment
<script src=“…/angular.js”></script>…<div><h3>
Your search for “<i>encode($query)</i>” returned {{nbOfResults}} results
</h3></div>
![Page 23: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/23.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
MIXING ANGULARJSWITH TRADITIONAL APPLICATIONS
• TheserverwillneedtoprotectagainstXSSattacks• ButisthatevenpossibleinanAngularJSenvironment?
<div class=”ng-app”>{{constructor.constructor(‘alert(1)’)}}
</div>
<div class="ng-app"><b class="ng-style: {x:constructor.constructor('alert(1)')()};" />
</div>
Herekittykittykitty…
x: y
![Page 24: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/24.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
MIXING ANGULARJSWITH TRADITIONAL APPLICATIONS
• TheserverwillneedtoprotectagainstXSSattacks• ButisthatevenpossibleinanAngularJSenvironment?
• AngularJStrieditwiththeexpressionsandbox• PreventsdirectaccesstoglobalJavaScriptfunctionality• Impossibletogetright,soonlyavailableinAngularJS1.2- 1.5.8
• Angular2offersofflinetemplatecompilation
![Page 25: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/25.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
RULE#2
DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA ON THE SERVER
Providethedataseparatelytotheclient-sideAngularJSapplication
![Page 26: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/26.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
BUT WHAT IF AN XSSATTACK HAPPENS ANYWAY?
![Page 27: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/27.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
SO WHAT IF XSSHAPPENS ANYWAY?
• ShieldyourselfbydeployingContentSecurityPolicy• CSPactsasasecondlevelofdefenseagainstXSSattacks• XSSattackswillbeseverelyconstrainedorevenblocked
• CSPlocksdownwhatcanhappeninawebpage• Refusestoexecuteinlinescriptandstyle• Onlyloadsexternalresourcesifexplicitlyallowed
• CSPseemsscary,butisactuallyawesome
![Page 28: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/28.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
THE NUTS AND BOLTS OF CSP
• CSPisaserver-drivenbrowser-enforcedpolicy• ServerprovidesaCSPpolicyinaheaderormeta tag
• BrowserenforcestheCSPpolicyonthepageContent-Security-Policy:
default-src 'self';
script-src 'self' https://code.jquery.com/jquery-3.1.1.min.js https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js;
img-src data:;
style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css;
font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/fonts/
![Page 29: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/29.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
AQUICK OVERVIEW OF CSP’S DIRECTIVES
• CSPhasdirectivesforallkindsofresources• default-src appliestoanyresource,ifthere’snomorespecific directive• img-src,script-src,style-src,…
• Adirectivecanhavenumerousvalidvalues
• Keywords:‘none’,‘self’,*• Expressions:https://websec.be,https:,https://websec.be/jquery.js,*.websec.be
• CSPhassomeincompatibilitieswithtraditionalwebapps
• ButiseasytodeployonanAngularJSapplication
![Page 30: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/30.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
BROWSER SUPPORT FOR CSPLEVEL 1IS AWESOME
http://caniuse.com/#search=csp
![Page 31: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/31.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
FOLLOWING UP ON CSPVIOLATIONS
• CSPincludesareportingfeature• Thebrowserautomaticallysendsareportwhenaviolationoccurs
{ "csp-report": { "document-uri": "https://www.websec.be/blog/cspfromscratch/", "violated-directive": "script-src 'self' https://…", "effective-directive": "script-src", "original-policy": "default-src 'self’…", "blocked-uri": "eval", "line-number": 1, column-number": 1609, "source-file": "https://a.disquscdn.com", "status-code": 0 } }
![Page 32: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/32.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
FOLLOWING UP ON CSPVIOLATIONS
• CSPincludesareportingfeature• Thebrowserautomaticallysendsareportwhenaviolationoccurs
• CSPcanbeenabledinreport-onlymode
• Policyviolationswillnotbeblocked,butareportissent• Perfectfordry-runningyourpolicybeforedeploying
• Collectingreportsisstraightforward,butalsoabittricky• report-uri.io willgetyoustarted
https://report-uri.io/
![Page 33: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/33.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
WRITING SANE CSPPOLICIES
• DeployCSPusingtheContent-Security-Policy responseheader• meta tagsareagoodalternativeifheadersaretoodifficulttouse
•Makeyourpolicyassecureaspossible
• Avoid‘unsafe-inline’and‘unsafe-eval’,especiallyforscripts• Specifyresourcesuptothefileleveltoavoidbypassattacks• Defineallimportantdirectivestoavoidoverrideattackswithmeta tags
• UseGoogle’sCSPEvaluatortocheckyourpolicyhttps://csp-evaluator.withgoogle.com/
![Page 34: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/34.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
WRITING SANE CSPPOLICIES
https://csp-evaluator.withgoogle.com/
![Page 35: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/35.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
RULE#3
LEVERAGE THE TREMENDOUS POWER OF CSP
Makesureyourappsarecompatible,andlockdownyourCSPpolicy
![Page 36: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/36.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
Security
![Page 37: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/37.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
SO FAR,WE ONLY TALKED ABOUT XSS
• Butthere’salotmoretobuildingasecureapplication
• Thewebhasevolvedalotinthelastfewyears• Plentyofnewthreats,butalsoplentyofnewsecuritytechnologies
• FundamentalsforbuildingsecureAngularJSapplications
• DeployyourapplicationsoverHTTPS• Usestrongauthenticationmechanisms
• Performaccesscontrolintherightplaces,withtherightdata
• Protectagainstcommonthreatsagainstsessionmanagement
![Page 38: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/38.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
SECURE SESSION MANAGEMENT IS CRITICAL
websec.be
anysite.io
Visitwebpage
Welcomepage
LoginasPhilippeWelcomePhilippe
Visitwebpage
Welcomepage
LoginasPhilippeWelcomePhilippe
SID=1234
1234:
auth:false
1234:
auth:true
user:Philippe
Session={
auth:false
}
Session={
auth:true
user:Philippe
}
![Page 39: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/39.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
THE UNDERESTIMATED THREAT OF CSRF
websec.be
anysite.io
loginasPhilippeWelcomepage
Showmessages
Latestmessages
Showobligatorycatpics
Kittensfromhell
![Page 40: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/40.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
CSRFIN THE REAL WORLD
Ebay.com
Resetpassword
OK,wewillgiveyouacall
Changetelephonenumber
Surething,Philippe
http://news.softpedia.com/news/CSRF-Vulnerability-in-eBay-Allows-Hackers-to-Hijack-User-Accounts-Video-383316.shtml
Resetpasswordwithsecretcode
Alldone
![Page 41: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/41.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
TRADITIONAL CSRFDEFENSES ARE CRUMBLINGwebsec.be
anysite.io
loginasPhilippeWelcomepage
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
<form … ><input type=“hidden” name=“csrftoken” value”1234abc” />...
</form>
![Page 42: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/42.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
TRANSPARENT CSRFTOKENS WORK WITHOUT FORMSwebsec.be
anysite.io
loginasPhilippeWelcome,Philippe
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
POST …Cookie: SID=123, XSRF-TOKEN=abcX-XSRF-TOKEN: abc
![Page 43: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/43.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
ANGULARJSSUPPORTS TRANSPARENT TOKENS BY DEFAULT
![Page 44: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/44.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
WHY DON’T WE JUST FIX COOKIES?websec.be
anysite.io
loginasPhilippeWelcomepage
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
Set-Cookie: SSID=1234; SameSite=Strict
https://tools.ietf.org/html/draft-west-first-party-cookies-07
![Page 45: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/45.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
AND WHAT IF IATTACH A TOKEN IN A HEADER?websec.be
anysite.io
loginasPhilippeHi,here’satoken
Postmessage
Surething,Philippe
Showobligatorycatpics
Kittensfromhell
Authorization: Bearer eyJhbGciO…
![Page 46: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/46.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
RULE#4
USE CSRFDEFENSES TO PREVENT UNINTENTIONAL REQUESTS
AngularJShasyourback,ifyouenableCSRFtokensonthebackend
![Page 47: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/47.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
KNOWLEDGE IS THE KEY TO SECURITY
#3 LEVERAGE THE TREMENDOUS POWER OF CSP
#2 DO NOT COMBINE TEMPLATES WITH USER-SUPPLIED DATA
#1 NEVER EVER MARK UNTRUSTED DATA AS SAFE
#0 TELL ALL YOUR FRIENDS ABOUT THESE RULES!
#4 USE CSRFDEFENSES TO PREVENT UNINTENTIONAL REQUESTS
![Page 48: Are you botching the security of your AngularJS application?](https://reader034.fdocuments.in/reader034/viewer/2022042907/5871a1901a28ab044e8b6f19/html5/thumbnails/48.jpg)
@PhilippeDeRyck#Devoxx #AngularSecurity
MORE KNOWLEDGE,BETTER SECURITY
/in/philippederyck @PhilippeDeRyck [email protected]
https://www.websec.be
Wanttostayinformed?Subscribetoourmailinglist!