
Stealing Bearer Tokens with an Angular Expression Injection - ryhanson
http://codesploit.com/angular-expression-injection-walkthrough/
======
mikelarned
It looks like this is only possible when we are mixing server side / client
side templates? Enter an expression into input, a user hard refreshes and the
expression is rendered into our angular template. Are there any good
approaches to always scrubbing expression input on the server side (or just
avoid the client side / server side template mix?)

~~~
ryhanson
That is the most common occurrence of this issue. It can also happen with
directives that use transclude or if the app is explicitly call Angular's
$interpolate function on a user's input.

You should definitely avoid mixing server side and client side templates, but
if that's too much work, scrubbing would work. You would need to strip the
expression stand and end symbols. Default symbols are '{{' and '}}', but some
apps use different symbols to avoid collisions with other template engines
that use the double curly brace.

------
rpkelley
I bet there are a lot more production angular apps out there than people think
that have this vulnerability right now.

~~~
ryhanson
From the research I have done, this is a true statement. The reason being is
people are adding Angular into their web apps that were initially built with
an MVC framework of some sort.

The problem ends up being that they mix server side templates with client side
templates. If user input is rendered in a server side template and ends up in
an element that is part of the Angular scope, the expression will evaluate. So
attaching an angular controller to your body tag and then including server
side templates within the body, is bad...

------
bossmojoman
Crazy, now to go double check all my angular code

------
lorenmorris
This is a legitimate comment.

