AngularJS client-side template injection
Description
This web application is vulnerable to AngularJS client-side template injection, a security flaw that occurs when user-controlled input is embedded into pages using AngularJS templating without proper sanitization. Attackers can inject malicious AngularJS expressions using curly brace syntax (e.g., {{malicious_expression}}), which are then evaluated by the AngularJS framework in the user's browser. When combined with known sandbox escape techniques, this vulnerability can be exploited to execute arbitrary JavaScript code in the context of the victim's session, effectively bypassing AngularJS's built-in security mechanisms.
Remediation
Implement the following measures to prevent AngularJS client-side template injection:
1. Avoid Server-Side Reflection of User Input: Do not reflect user-controlled input directly into pages where AngularJS templates are rendered. If reflection is necessary, ensure input is rendered in contexts where AngularJS expressions cannot be evaluated.
2. Sanitize User Input: Treat curly braces ({{ and }}) as dangerous characters. Implement strict input validation and output encoding to prevent AngularJS expression syntax from being interpreted. Use Angular's built-in sanitization services such as $sanitize or the ng-bind directive instead of double curly brace interpolation for untrusted data.
3. Use ng-bind Instead of Interpolation: Replace double curly brace interpolation with the ng-bind directive for displaying user input:
<!-- Vulnerable -->
<div>Welcome {{username}}</div>
<!-- Secure -->
<div ng-bind="username">Welcome</div>4. Implement Content Security Policy (CSP): Deploy a strict Content Security Policy that restricts inline script execution and limits the sources from which scripts can be loaded.
5. Upgrade AngularJS: If possible, migrate to modern Angular (2+) which has removed client-side template compilation from user-controlled strings, or ensure you're using the latest AngularJS 1.x version with all security patches applied.