
How I Stole Plunker Session Tokens with an Angular Expression - ryhanson
https://royaljay.com/security/angular-expression-injections/
======
filearts
Hi all, I'm the one who created the vulnerability (and ultimately fixed it).
I'm open to constructive questions.

To all those who cringe, please consider that this code was written while I
was learning Angular--and javascript, and html and css, for that matter--while
I was still working as a financial professional in a Big 4 accounting firm.
Times have changed: I've learned a lot from earlier mistakes and now work as a
full-stack developer with Auth0.

Unfortunately, much of the code-base in production Plunker dates from the time
when I was new to this whole field and demonstrates two important things:

1\. A case-study on inconsistent code style and anti-patterns.

2\. Something useful to the community can be produced despite #1.

I co-presented the following talk at ng-conf 2015 that explains this
philosophy pretty well:
[https://www.youtube.com/watch?v=hYXEuQZMLSM](https://www.youtube.com/watch?v=hYXEuQZMLSM)

