https://sites.google.com/site/bughunteruniversity/nonvuln/angularjs-expression-sandbox-bypass … has an Angular bypass PoC which works in CSP mode (1.2.0-1.5.0). h/t @kkotowicz
-
-
Replying to @arturjanc @darkcton and
FWIW >80% of policies have unsafe-eval so even without such bypasses it's bad. + there's JSONP
2 replies 0 retweets 0 likes -
Replying to @arturjanc @darkcton and
also CDNs usually host multiple angular versions. So you can usually pick the oldest one.
2 replies 0 retweets 0 likes -
Replying to @slekies @arturjanc and
that is definitly true, I was more interested in projects that use angular and their security
1 reply 0 retweets 0 likes -
if I use angular, does CSP bring an advantage, if not why.
1 reply 0 retweets 0 likes -
Protects you from some DOM XSS (i.e. in directive code), but if you can {{}}, you're doomed.
1 reply 1 retweet 0 likes -
that is really sad to hear :( CSP is such a nice idea for improving security. any solutions?
1 reply 0 retweets 0 likes -
In Angular 2 there's no template injection possible, so CSP makes sense there.
2 replies 1 retweet 1 like -
So the solution is upgrading to angular 2.0 as soon as it is out of RC?
1 reply 0 retweets 0 likes -
ng2 + cap would work only if you use ahead of time ng2 compiler. Unlikely your devs will
2 replies 0 retweets 0 likes
IMHO the point is that unlike in V1, AoT in V2 (http://blog.mgechev.com/2016/08/14/ahead-of-time-compilation-angular-offline-precompilation/ …) can prevent injection
-
-
Replying to @arturjanc @kkotowicz and
So if you care enough you can make your project use it, and then have CSP help against DOM XSS
1 reply 0 retweets 2 likes -
Replying to @arturjanc @kkotowicz and
good! As a matter of fact I do care enough even though upgrade to ng2 will take time! Thanks!
0 replies 0 retweets 1 like
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.