Our (@we1x @slekies @arturjanc) #CSP paper is out. 95% bypassable, whitelisting is doomed, #strictdynamic helps.https://research.google.com/pubs/pub45542.html …
But that's an artifact of how Angular bypasses are researched/reported rather than a security guarantee.
-
-
There is no security guarantee whatsoever. If a paper is published, its example should work though.
-
I'm still not convinced attack vector works. Angular Interpreter is different than actual js engine.
-
https://sites.google.com/site/bughunteruniversity/nonvuln/angularjs-expression-sandbox-bypass … has an Angular bypass PoC which works in CSP mode (1.2.0-1.5.0). h/t
@kkotowicz -
FWIW >80% of policies have unsafe-eval so even without such bypasses it's bad. + there's JSONP
-
also CDNs usually host multiple angular versions. So you can usually pick the oldest one.
-
that is definitly true, I was more interested in projects that use angular and their security
-
if I use angular, does CSP bring an advantage, if not why.
-
Protects you from some DOM XSS (i.e. in directive code), but if you can {{}}, you're doomed.
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.