Stealing Bearer Tokens with an Angular Expression Injection
codesploit.comIt looks like this is only possible when we are mixing server side / client side templates? Enter an expression into input, a user hard refreshes and the expression is rendered into our angular template. Are there any good approaches to always scrubbing expression input on the server side (or just avoid the client side / server side template mix?)
That is the most common occurrence of this issue. It can also happen with directives that use transclude or if the app is explicitly call Angular's $interpolate function on a user's input.
You should definitely avoid mixing server side and client side templates, but if that's too much work, scrubbing would work. You would need to strip the expression stand and end symbols. Default symbols are '{{' and '}}', but some apps use different symbols to avoid collisions with other template engines that use the double curly brace.
I bet there are a lot more production angular apps out there than people think that have this vulnerability right now.
From the research I have done, this is a true statement. The reason being is people are adding Angular into their web apps that were initially built with an MVC framework of some sort.
The problem ends up being that they mix server side templates with client side templates. If user input is rendered in a server side template and ends up in an element that is part of the Angular scope, the expression will evaluate. So attaching an angular controller to your body tag and then including server side templates within the body, is bad...
Crazy, now to go double check all my angular code
This is a legitimate comment.