AppSec Europe 2016 has ended
Back To Schedule
Friday, July 1 • 14:10 - 14:55
Securing AngularJS Applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Since its birth, the Web evolved from a system to share and view scientific documents to a full-blown platform for sophisticated applications. While in the beginning most Web applications were implemented purely on the server-side, modern ones heavily rely on client-side components.

AnuglarJS is the latest addition in this process. Within an Angular application the server is merely a data storage facility with a few additional access checks. The core of the application is running on the client-side.

As Angular is specifically designed to work on the client-side, it attempts to remove the main points of friction for developers. By providing a templating system, two-way bindings and custom directives, DOM interactions can be reduced to a bare minimum.

From a security point of view this is very interesting as Angular removes the need for using some DOM APIs with very sharp edges (innerHTML, document.write). On the other hand, Angular introduces new ways of approaching application development that are largely unexplored in terms of security.

This talk provides an in-depth introduction to the security of Angular applications. It first introduces the core design ideas and security principles of AngularJS. Then, based on the experience of the Google Security Team, shows common security pitfalls that are specific to Angular applications. In general, the talk covers Angular's string interpolation functionality, strict auto-escaping templates, URL-based directives and insecure legacy APIs. All the presented issues are based on real-world bugs. The talk will demonstrate how to find and prevent these issues in practice.


Sebastian Lekies

Sebastian Lekies is an Information Security Engineer at Google and a PhD Student at the Ruhr-University Bochum. His research interests encompass client-side Web application security and Web application security testing. He graduated from University of Mannheim with a M.Sc. in Business... Read More →

Friday July 1, 2016 14:10 - 14:55 CEST
Room A (Michelangelo Ballroom Sect. 3)