daffainfo
/
PayloadsAllTheThings
mirror of https://github.com/daffainfo/PayloadsAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Angular automatic sanitization

patch-1
marcan2020 2019-10-02 21:24:53 -04:00 committed by GitHub
parent e1e5397d4c
commit 920da73bd7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
XSS Injection/XSS in Angular.md
View File

@ -1,8 +1,10 @@
# XSS in Angular
## Client Side Template Injection
The following payloads are based on Client Side Template Injection.
## Stored/Reflected XSS - Simple alert
### Stored/Reflected XSS - Simple alert
> Angular as of version 1.6 have removed the sandbox altogether
@ -148,7 +150,7 @@ Angular 1.0.1 - 1.1.5 and Vue JS
```
## Blind XSS
### Blind XSS
1.0.1 - 1.1.5 && > 1.6.0 by Mario Heiderich (Cure53)
@ -253,7 +255,47 @@ Shorter 1.0.1 - 1.1.5 && > 1.6.0 by Lewis Ardern (Synopsys) and Gareth Heyes (Po
}}
```
## Automatic Sanitization
> To systematically block XSS bugs, Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.
However, it is possible to mark a value as trusted and prevent the automatic sanitization with these methods:
- bypassSecurityTrustHtml
- bypassSecurityTrustScript
- bypassSecurityTrustStyle
- bypassSecurityTrustUrl
- bypassSecurityTrustResourceUrl
Example of a component using the unsecure method `bypassSecurityTrustUrl`:
```
import { Component, OnInit } from '@angular/core';
@Component({
selector: 'my-app',
template: `
<h4>An untrusted URL:</h4>
<p><a class="e2e-dangerous-url" [href]="dangerousUrl">Click me</a></p>
<h4>A trusted URL:</h4>
<p><a class="e2e-trusted-url" [href]="trustedUrl">Click me</a></p>
`,
})
export class App {
constructor(private sanitizer: DomSanitizer) {
this.dangerousUrl = 'javascript:alert("Hi there")';
this.trustedUrl = sanitizer.bypassSecurityTrustUrl(this.dangerousUrl);
}
}
```
![XSS](https://angular.io/generated/images/guide/security/bypass-security-component.png)
When doing a code review, you want to make sure that no user input is being trusted since it will introduce a security vulnerability in the application.
## References
- [XSS without HTML - CSTI with Angular JS - Portswigger](https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs)
- [Blind XSS AngularJS Payloads](https://ardern.io/2018/12/07/angularjs-bxss)
- [Angular Security](https://angular.io/guide/security)
- [Bypass DomSanitizer](https://medium.com/@swarnakishore/angular-safe-pipe-implementation-to-bypass-domsanitizer-stripping-out-content-c1bf0f1cc36b)