Category Archives: angularjs

Is JSON vulnerability still possible?

Posted on by

I have a bunch of REST APIs which would be consumed by frontend applications created by customers using our product. I have suggested to only use last 2 versions of Chrome for running frontend apps. They would be using Angular.

I was going through Angular’s security guide which says,

Cross-site script inclusion, also known as JSON vulnerability, can
allow an attacker’s website to read data from a JSON API. The attack
works on older browsers by overriding built-in JavaScript object
constructors, and then including an API URL using a tag.

This attack is only successful if the returned JSON is executable as
JavaScript. Servers can prevent an attack by prefixing all JSON
responses to make them non-executable, by convention, using the
well-known string “)]}’,\n”.

I checked the related questions on SO/SE. Going by the accepted answers, it seems that this used be a vulnerability a long time ago when browsers allowed overriding Array constructor.
Is it still possible to have JSON vulnerability attack given latest version of Chrome will be used?

Related SE/SO questions:

  1. Why JSON Hijacking attack doesn’t work in modern browsers? How was it fixed?
  2. How is it possible to poison JavaScript Array constructor and how does ECMAScript 5 prevent that?
  3. How does including a magic prefix to a JSON response work to prevent XSSI attacks?
  4. https://stackoverflow.com/questions/55206306/is-facebook-suddenly-safe-against-json-hijacking/55206724#55206724
  5. https://stackoverflow.com/questions/3146798/why-do-people-put-code-like-throw-1-dont-be-evil-and-for-in-front-of#3147804

Continue reading Is JSON vulnerability still possible?

Security in Angular: Addressing XSS Concerns with External Libraries and Interpolation

Posted on by

Introduction:
We heavily use external libraries, such as DataTables, in combination with interpolation. In Angular, we’ve identified two primary XSS prevention strategies:

Interpolation ({{ }})
Direct Sanitization with DomSanitizer.saniti… Continue reading Security in Angular: Addressing XSS Concerns with External Libraries and Interpolation

Progressive profiling with auth0: Security when communicating with auth0 actions

Posted on by

I currently try to implement progressive profiling with auth0 according to: https://auth0.com/blog/using-redirect-with-actions-to-gather-user-info-and-increase-conversions/ to gather first name and last name of a user after a succesful reg… Continue reading Progressive profiling with auth0: Security when communicating with auth0 actions

Are there specific cybersecurity things to be aware of before creating a forum site or message board using Google firebase? [closed]

Posted on by

I am an entrepeneur who hires developers on fiverr or upwork to maintain and develop my MVP website (built using Angular).
I want the website to develop into a forum/message board. However I want to be sure I am aware of any nuances with m… Continue reading Are there specific cybersecurity things to be aware of before creating a forum site or message board using Google firebase? [closed]