Originally developed in 2009, and released in 2010, AngularJS is a structural framework for dynamic web apps. AngularJS picks up where HTML left off by allowing you to extend the HTML vocabulary of your web application which translates into an expressive and readable environment. At the heart of this framework is two-way data binding which synchronizes the view and model when a user provides and input and interacts with the interface.
While games and GUI editors are examples of applications that are not ideal fits for Angular, this framework shines when it comes to CRUD (Create, Read, Update, Delete) applications which make up a majority of applications found on the web.
While there are no known common vulnerabilities or exposures (CVEs) for AngularJS, developers should be concerned about a subtype of injection known as content injection, or content spoofing, which is a cause for concern. Content spoofing occurs when an application does not properly handle user-supplied data. Using a parameter value, a malicious party is able to supply content to an application which is reflected back to the user. As a result, the user finds themselves on a modified page under the context of a trusted domain.
Additionally, being able to execute malicious code in the sandbox is one way of introducing XSS attacks into an Angular web app. This sandbox feature was intended to separate different responsibilities within the application, however, if a malicious party wanted to introduce an XSS attack into a web application, this would be the way.
Other security risks facing AngularJS developers include broken authentication and session management, insecure direct object references, security misconfigurations and more and are detailed in-depth in Kevin Hakanson’s OWASP Top 10 for AngularJS video below.
Youtube (for PS3)
The Backbone.js project is hosted on GitHub and the literal applications of this emerging framework range from CRM platforms, online news sites, multimedia pages and more. From the news angle, USA Today keeps its code base manageable and efficient through the modularity of Backbone.js’ data/model lifecycle. On the interactive side, Hulu used Backbone.js to define itself as the next generation of online video experience with elements such as the smooth transitions during navigation between pages thanks to the dynamic loading of the pages. Backbone.js powers WordPress’ notifications systems via Backbone.js models, collections and views.
Like Angular, Backbone does not have any CVEs, however unlike Angular, Backbone lacks a security contact and security documentation on how to write secure code. Backbone does, however, have a dependency in jQuery which has known CVEs.
Core Knockout features include elegant dependency tracking, declarative bindings and the fact that it is trivially extensible. Unlike Angular, Knockout works under the model-view-viewmode (MVVM) design paradigm which facilitates a separation of the development of the graphical user interface either via a markup language or GUI code.
Due to it’s binding capabilities, Knockout’s biggest threat comes from for XSS attacks. As noted on this Knockout security thread on StackExchange, “The vulnerabilities come from the use of eval (or some equivalent) to convert text in the data-bind attribute to executable script. Most of the examples show attacks where malicious script could be executed if it is injected into a data-bind attribute.”
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.