| Details | |
|---|---|
| Alert ID | 200021-12 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 79 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-79 OWASP_2021_A03 TOOL_PTK |
Summary
Detects AngularJS client-side template and expression injection by sending version-gated AngularJS sandbox-escape probes to query and form parameters, then requiring browser-executed proof from the PTK browser-nav harness.
Generated by OWASP PTK DAST Module
Solution
Do not render attacker-controlled values inside AngularJS templates or expressions. Treat reflected values as data, avoid dynamic expression evaluation, upgrade away from AngularJS where possible, and apply contextual output encoding plus a restrictive CSP.Other Info
References
- https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
- https://docs.angularjs.org/guide/security