Scribd
Upload
59 views

Angular OWASP Top 10 Vulnerabilities

The document provides a cheat sheet on handling the top 10 OWASP vulnerabilities in Angular applications. It discusses issues like using dependencies with known vulnerabilities, broken authentication, cross-site scripting, broken access control, and sensitive data exposure. Practical advice is given for each vulnerability, such as using interpolation to apply escaping, implementing authorization checks, and encrypting sensitive data before storing it.

Uploaded by

Andrei Ulinici
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
59 views

Angular OWASP Top 10 Vulnerabilities

The document provides a cheat sheet on handling the top 10 OWASP vulnerabilities in Angular applications. It discusses issues like using dependencies with known vulnerabilities, broken authentication, cross-site scripting, broken access control, and sensitive data exposure. Practical advice is given for each vulnerability, such as using interpolation to apply escaping, implementing authorization checks, and encrypting sensitive data before storing it.

Uploaded by

Andrei Ulinici
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Security Cheat Sheet

Version 2019.003

Angular and the OWASP top 10


The OWASP top 10 is one of the most influential security documents of all time. But how do these top 10 vulnerabilities resonate
in a frontend JavaScript application?
This cheat sheet offers practical advice on handling the most relevant OWASP top 10 vulnerabilities in Angular applications.
DISCLAIMER This is an opinionated interpretation of the OWASP top 10 (2017), applied to frontend Angular applications. Many backend-related issues apply to the API-side of an Angular
application (e.g., SQL injection), but are out of scope for this cheat sheet. Hence, they are omitted.

1 Using dependencies with known vulnerabilities 3 Cross-Site Scripting


OWASP #9 OWASP #7

Plan for a periodical release schedule Preventing html/script injection in Angular


Use npm audit to scan for known vulnerabilities Use interpolation with {{}} to automatically apply escaping
Setup automated dependency checking to receive alerts Use safe property binding such as [href], [src], [style.color]
Github offers automatic dependency checking as a free service Use binding to [innerHTML] to safely insert HTML data
Integrate dependency checking into your build pipeline
Do not use bypassSecurityTrust*() on untrusted data

2 Broken authentication Preventing code injection outside of Angular


OWASP #2
Avoid direct DOM manipulation
From an Angular perspective, the most important aspect of broken E.g. through ElementRef or other client-side libraries
authentication is maintaining state after authentication. Many
Do not combine Angular with server-side dynamic pages
alternatives exist, each with their specific security considerations.
Use Ahead-Of-Time compilation (AOT)
Decide if a stateless backend is a requirement
Server-side state is more secure, and works well in most cases 4 Broken access control
Server-side session state OWASP #5

Use long and random session identifiers with high entropy Authorization checks
OWASP has a great cheat sheet offering practical advice [1] Implement proper authorization checks on API endpoints
Check if the user is authenticated
Client-side session state Check if the user is allowed to access the specific resources
Use signatures to protect the integrity of the session state Do not rely on client-side authorization checks for security
Adopt the proper signature scheme for your deployment
HMAC-based signatures only work within a single application
Cross-Origin Resource Sharing (CORS)
Public/private key signatures work well in distributed scenarios Prevent unauthorized cross-origin access with a strict policy
Verify the integrity of inbound state data on the backend Avoid whitelisting the null origin in your policy
Explicitly avoid the use of “decode-only” functions in libraries
Avoid blindly reflecting back the value of the origin header
Setup key management / key rotation for your signing keys
Avoid custom CORS implementations
Ensure you can handle session expiration and revocation Origin-matching code is error-prone, so prefer the use of libraries

Cookie-based session state transport


Enable the proper cookie security properties
5 Sensitive data exposure
OWASP #3
Set the HttpOnly and Secure cookie attributes
Add the __Secure or __Host- prefix on the cookie name Data in transit
Protect the backend against Cross-Site Request Forgery Serve everything over HTTPS
Same-origin APIs should use a double submit cookie
Ensure that all traffic is sent to the HTTPS endpoint
Cross-Origin APIs should force the use of CORS preflights by only
accepting a non-form-based content type (e.g. application/json) Redirect HTTP to HTTPS on endpoints dealing with page loads
Disable HTTP on endpoints that only provide an API
Authorization header-based session state transport Enable Strict Transport Security on all HTTPS endpoints
Only send the authorization header to whitelisted hosts
Data at rest in the browser
Many custom interceptors send the header to every host
Encrypt sensitive data before persisting it in the browser
[1] https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
Encrypt sensitive data in JWTs using JSON Web Encryption

Looking for security knowledge beyond textbook examples?


Reach out to learn more about our academic-level training program
https://pragmaticwebsecurity.com/

You might also like