Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add AngularJS client side template injection #1340

Open
wants to merge 3 commits into
base: v3.2/dev
from

Conversation

Projects
None yet
3 participants
@franbuehler
Copy link
Collaborator

commented Apr 6, 2019

This is a new rule 941370 at PL1.
This PR covers client side template injection with AngularJS.
Angular and AngularJS are executed in the client browser and are not detected by CRS. But as soon as a command is sent to the server, we should detect the injection.
That this traffic is sometimes sent to the server, I have seen in the intentionally vulnerable app Pixi by DevSlop.

I am not sure about false positives. I would be happy if someone could test this PR ;)

@dune73

This comment has been minimized.

Copy link
Collaborator

commented Apr 6, 2019

Thank you for the PR.

While writing {{...}} is rather unnatural, I think PL1 might be a bit optimistic...

@fgsch

This comment has been minimized.

Copy link
Collaborator

commented Apr 26, 2019

Tests are failing:

util/integration/format_tests.py::test_trailing_whitespace Line 721 in ./rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf has trailing whitespace.
@fgsch

This comment has been minimized.

Copy link
Collaborator

commented May 3, 2019

Can you sync with master so this is testing against the right image?

@dune73

This comment has been minimized.

Copy link
Collaborator

commented May 5, 2019

We have not seen any real world tests of this rule and I am reluctant to merge at PL1. Would merge at PL2 though. For PL1, I think we need reports about the rate of FPs.

@dune73 dune73 added the Needs action label May 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.