Common Security Flaws on the Client Side

troy-hunt-v2

Troy teaches you AngularJS security

Welcome to Part 4 of this review of the Pluralsight course AngularJS Security Fundamentals by Troy Hunt.

Common Security Flaws on the Client Side

Understanding DOM Versus HTML Source

Troy defines the Document Object Model; something which Angular is adept at manipulating.

We see how the DOM differs from actual HTML source by viewing each side by side.

Security Assumptions and the Risk of “View Source”

All client side code is public. Troy recommends bundling and minifying your JS files because otherwise it’s very easy for everyone to view and navigate through the contents.

In this lesson we see the contents of UsersFactory.js and how to use it to find sensitive information. This is due to a lack of access controls so bundling does not fix this problem, it only makes it less discoverable.

Excessive Model Attributes in API Responses

In Troy’s Hack Your API First course he talks at length about excessive model attributes. We see some example of attributes that we definitely don’t want to be returning to the client.

We see a before and after of the original flawed implementation versus the fixed solution.

Understanding Output Encoding in Client Libraries

This lesson talks about Cross Site Scripting attacks. We see HTML encoding and JavaScript encoding in action, and this is why AngularJS does a good job of protecting us against XSS attacks.

HTTP Only and Secure Cookies

Cookies can be enormously valuable for an attacker because they often have the authentication token in them. If JavaScript can access our cookies, they may be vulnerable, so we should make them HTTP only.

Troy also talks about HTML5 Storage, which may be a good alternative to cookies.

The Risk of Cross Site Request Forgery

In this lesson Troy opens up attacker.com in a new tab. Alarmingly, our awesomeplaces site has now changed, and we have been logged out. This is despite awesomeplaces being in a different tab.

We see that attacker.com is owned by Troy Hunt, and he crafted it to call our API via a hidden image. This is a CSRF attack, and just a very basic one. Make sure your apps are not vulnerable to these problems.

Continue to the final part – Security constructs within AngularJS

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s