Welcome to Part 4 of this review of the Pluralsight course AngularJS Security Fundamentals by Troy Hunt.
Common Security Flaws on the Client Side
Understanding DOM Versus HTML Source
Troy defines the Document Object Model; something which Angular is adept at manipulating.
We see how the DOM differs from actual HTML source by viewing each side by side.
Security Assumptions and the Risk of “View Source”
All client side code is public. Troy recommends bundling and minifying your JS files because otherwise it’s very easy for everyone to view and navigate through the contents.
In this lesson we see the contents of UsersFactory.js and how to use it to find sensitive information. This is due to a lack of access controls so bundling does not fix this problem, it only makes it less discoverable.
Excessive Model Attributes in API Responses
In Troy’s Hack Your API First course he talks at length about excessive model attributes. We see some example of attributes that we definitely don’t want to be returning to the client.
We see a before and after of the original flawed implementation versus the fixed solution.
Understanding Output Encoding in Client Libraries
HTTP Only and Secure Cookies
Troy also talks about HTML5 Storage, which may be a good alternative to cookies.
The Risk of Cross Site Request Forgery
In this lesson Troy opens up attacker.com in a new tab. Alarmingly, our awesomeplaces site has now changed, and we have been logged out. This is despite awesomeplaces being in a different tab.
We see that attacker.com is owned by Troy Hunt, and he crafted it to call our API via a hidden image. This is a CSRF attack, and just a very basic one. Make sure your apps are not vulnerable to these problems.