AngularJS Security by Sebastien Lekies
Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components. AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side. As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum. From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security. This talk provides an introduction to Angular security. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, this talk will cover common security pitfalls that are specific to Angular applications. In general, we will cover Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs.