The OWASP top 10 is one of the most influential security documents of all time. A couple of years ago, these 10 security issues impacted almost every web application. However, today, the web application landscape has scattered. Monoliths have become frontends, backends, and third-party APIs. As a result, it has become harder to figure out which security measures belong where. Overall, security has gotten a lot more complicated.
In this talk, we explore the relationship between the OWASP top 10 and Angular applications. We will see how some issues are barely relevant in an Angular world. We will discover that Angular addresses some issues out of the box. Moreover, we will learn which issues require the most attention in an Angular application.
RESOURCES MENTIONED IN THIS SESSION
- Session slides: https://pragmaticwebsecurity.com/talks/angularowasptop10 (plus a link to a free security cheat sheet)
- Enable the ngSanitize module for sanitization of HTML output: https://docs.angularjs.org/api/ngSanitize
- Info on SCE: https://docs.angularjs.org/api/ng/service/$sce
- The decision to remove the expression sandbox in 1.6: http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html
- Avoid template injection through the orderBy filter: https://www.synopsys.com/blogs/software-security/angularjs-1-6-0-sandbox/
- Great video on AngularJS security issues by Lewis Ardern: https://www.youtube.com/watch?v=3vuLPzjc4RI