Pluralsight - AngularJS Security Fundamentals (2015)

AngularJS has achieved enormous popularity in a very short amount of time, but developers keep asking - what are the security implications? This course helps those building apps on client side frameworks understand where the risks lie and how to mitigate them. Client side frameworks such as AngularJS have become enormously popular due to their ability to streamline the development process and make more responsive web applications by moving workload from the server to the browser. With the popularity and enthusiasm around these frameworks also comes confusion about their security profiles and associated risks.

Often, when developers build client apps with server back ends they approach the application as though they control the entire ecosystem. Assumptions are often made that the client they built will only ever talk to the server side APIs they built in the way they designed them. This view often overlooks the risk of an attacker circumventing the client controls and executing calls directly against the server side A9PI outside the intended scope of the application. Much of this course is about helping developers understand where the security boundaries of client side frameworks begin and end. It does this by demonstrating common implementation patterns using Angular and illustrating where security weaknesses may be introduced. It also highlights specific defenses implemented by Angular, and demonstrates the mechanics of how they work, and how they may be misconfigured to introduce risks.

Introduction 15:42
Overview 1:36
Why Angular Security? 3:43
Who This Course Is For 2:39
About the Course 2:24
Introducing the Insecure AngularJS App 3:42
Summary 1:34
Understanding Client Framework Security Boundaries 28:03
Overview 1:55
The Composition of AngularJS 3:37
Overview of the Web Stack 3:09
Typical Security Risks in the Stack 4:41
Defending the Stack 4:52
Always Assume the Client Is Compromised 2:57
Circumventing the Client 4:15
Summary 2:34
Working with Security Controls on the Server 38:27
Overview 1:48
Understanding Page Lifecycles 5:46
Authentication and Identity Persistence 2:40
Cookies Versus Tokens 4:58
Sending the Bearer Token 4:00
Persisting the Bearer Token When the DOM Is Unloaded 5:00
Exploiting Insufficient Authorization 4:45
The Risk Behind Client Side Security Trimming 3:50
Securing Templates Versus Securing Services 3:17
Summary 2:17
Common Security Flaws on the Client Side 32:24
Overview 1:44
Understanding DOM Versus HTML Source 4:09
Security Assumptions and the Risk of "View Source" 4:15
Excessive Model Attributes in API Responses 3:20
Understanding Output Encoding in Client Libraries 6:13
HTTP Only and Secure Cookies 4:47
The Risk of Cross Site Request Forgery 5:24
Summary 2:28
Security Constructs Within AngularJS 32:43
Overview 1:49
Protecting Against Cross Site Request Forgery 8:29
Using the ngSanitize Module 5:57
Working with Unsanitized HTML 5:46
The Danger of Server Side Templates Rendering User Input 8:18
Summary 2:22