Building a Better Web
June 19–20, 2017: Training
June 20–22, 2017: Tutorials & Conference
San Jose, CA

So you thought you were safe using AngularJS? Think again.

lewis ardern (Synopsys)
3:35pm–4:15pm Thursday, June 22, 2017
Secondary topics:  JavaScript frameworks and libraries (Angular, React, Ember, Vue, etc.), Security
Average rating: ****.
(4.00, 1 rating)

Who is this presentation for?

  • Software developers, security consultants, and Angular enthusiasts

What you'll learn

  • Understand how security issues are introduced in AngularJS
  • Explore proactive solutions

Description

AngularJS is one of those wonderful frameworks that seems to hide so many of JavaScript’s warts. But while Angular adds much-needed features to the language, it also creates a handful of new security problems for developers to discover and work around.

Lewis Ardern walks you through an application that illustrates security issues discovered in real-world applications and explains the problem with usable solutions. Lewis concludes with a discussion of how the platform is changing with every new release and the security concerns appearing with these new versions.

Topics include:

  • Explicitly trusting data through Angular services
  • Untrusted data treated as Angular expressions
  • Client-side template injection
  • Loading Angular templates insecurely
  • Incorrect use of third-party libraries such as typeahead, Angular-Translate, and textAngular
Photo of lewis ardern

lewis ardern

Synopsys

Lewis Ardern is a security consultant at Synopsys/Cigital, where he specializes in application security, red teaming, and network assessments. He’s the founder of the Leeds Ethical Hacking Society and has helped develop projects such as SecGen, which generates vulnerable virtual machines on the fly for security training purposes. Lewis is currently working toward his PhD in web security.