Welcome to Part 4 of this review of the Pluralsight course AngularJS Security Fundamentals by Troy Hunt.

Troy is a Microsoft Regional Director and MVP for Developer Security. He’s has been building software for browsers since the very early days of the web and has become an industry thought leader in the security space.

Troy is well known for creating “Have I been pwned?” the free service that aggregating data breaches and helping people establish potential impacts from malicious web activity. He’s created 27 courses (and counting) with Pluralsight.

Also in this series:

Part 1 – Introduction

Part 2 – Understanding Client Framework Security Boundaries

Part 3 – Working with Security Controls on the Server

Part 5 – Security Constructs Within AngularJS

Common Security Flaws on the Client Side

Understanding DOM Versus HTML Source

Troy defines the Document Object Model; something which Angular is adept at manipulating.

We see how the DOM differs from actual HTML source by viewing each side by side.

Security Assumptions and the Risk of “View Source”

All client side code is public. Troy recommends bundling and minifying your JS files because otherwise it’s very easy for everyone to view and navigate through the contents.

In this lesson we see the contents of UsersFactory.js and how to use it to find sensitive information. This is due to a lack of access controls so bundling does not fix this problem, it only makes it less discoverable.

Excessive Model Attributes in API Responses

In Troy’s Hack Your API First course he talks at length about excessive model attributes. We see some example of attributes that we definitely don’t want to be returning to the client.

We see a before and after of the original flawed implementation versus the fixed solution.

Understanding Output Encoding in Client Libraries

This lesson talks about Cross Site Scripting attacks. We see HTML encoding and JavaScript encoding in action, and this is why AngularJS does a good job of protecting us against XSS attacks.

HTTP Only and Secure Cookies

Cookies can be enormously valuable for an attacker because they often have the authentication token in them. If JavaScript can access our cookies, they may be vulnerable, so we should make them HTTP only.

Troy also talks about HTML5 Storage, which may be a good alternative to cookies.

The Risk of Cross Site Request Forgery

In this lesson Troy opens up attacker.com in a new tab. Alarmingly, our awesomeplaces site has now changed, and we have been logged out. This is despite awesomeplaces being in a different tab.

We see that attacker.com is owned by Troy Hunt, and he crafted it to call our API via a hidden image. This is a CSRF attack, and just a very basic one. Make sure your apps are not vulnerable to these problems.

Continue to the final part – Security constructs within AngularJS