I am implementing OWASP in my project and using (angular js and web api) . Can someone please help me to prevent XSS attack in my project. I have used ngsanitize to prevent script injection while inserting code from UI and it is working fine but using fiddler I am able to inject the script through web api.
Can you please help me with the best approach on this.
Thanks in advance.
If you have installed Microsoft.AspNet.WebApi.Cors
then you should be able to restrict your controllers/endpoints by decorating them with
[EnableCors(origins: "http://mywebsite.com", headers: "*", methods: "*")]
This will restrict that controller/endpoint to only accept CORS requests from that site. Have you tried reading Enabling Cross-Origin Requests on the asp.net site?
And to stop XSS you could try some sort of data validation. Have you got any of the code you're using to show how this XXS is being done on your webapi?
Related
How to handle CORS error in Angular JS . I used CORS tool in chrome and fixed the issue, Any chance to handle it in frontend without using CORS tool . I don't want to make any change in backend.
enter image description here
CORS is a built-in browser security feature. Modern browsers use CORS to determine whether they have been given access to access a certain resource.
Turning it off is a hack. Using a CORS tool in chrome isn't fixing the issue at all, it's monkey-patching it so that it works on your development machine.
You'll have to read up on how to configure CORS on the server side. For a safe application CORS is not optional, and it is in your company's interests to implement it, but unfortunately it's beyond the scope of the question for me to tell you how to do that here.
Alternatively, you could configure your application and your backend to work with JSONP, CORS's older cousin. CORS is generally preferred to JSONP because JSONP only supports GET requests, but it may be easier to set up in your circumstance.
i'm developping an app with the ionic framework and a jee + postgresql backend.
I'm actually doubting about the HTTP Requests :
Should i use only jsonp? Or add an Access-Control-Allow-Origin * in my HTTP headers ?
Of course, both of these solutions are working, the second solution seems unsecure to me but i'm not use to mobile requests (without domain-based call/endpoint) so i don't really know what to choose ... i might also miss some other way to do the job ....
Do somebody know how to properly build this kind of communication ?
Thanks you !
If you want to be very flexible and very secure, you might want to implement a JSON Web Token solution. The server issues json web tokens to your users. You can define who gets a token. Then the token must be attached to every request from ionic to your server. The server determines what data to return, if the user is authorized.
For JEE there is this package. For ionic the auth0 repositories are a good study start. You can find many examples online. I think that is the most elaborate solution available, despite might not be easiest to implement.
I've an app with Django as server and Angular in front end.
I know both Django and Angular have in-build support for CSRF (Cross Site Request Forgery) protection.
So from these resources:
http://django-angular.readthedocs.org/en/latest/csrf-protection.html
Django csrf token + Angularjs
I could implement CSRF protection easily.
But unfortunaltely that solutions not working for me.
More digging showed that, it won't work for Cross domains. Well, my Django and Angular will be in same domain after the build, I want to test the CSRF in my development environment.
So my question is, how can I use CSRF in cross-domain (in this scenario)? At least in my dev environment? (http://localhost/)
Thanks in advance.
I think you could simulate domain name by modifying /etc/hosts file ,
please refer to the below link for more information, it will surely solve your problem
https://docs.acquia.com/article/using-etchosts-file-custom-domains-during-development
Can You Please Tell me Any One, how to write server validation with angularjs, I referred So Many Sites, No One Can Explain Properly.
Is It Possible With Server Validations With Angularjs. Please Help me With a Proper Demo/Reference.
Because I want to Implement in my Current Project.
You need to write a server side API. Any server side validation would live in the PUT and POST methods of your API.
Then with Angular you use the Angular $http or $resource service to access your API.
I have a backend REST app. I'm presently developing the frontend app. Now i have a confusion as to how to setup the frontend app.
Case 1 - Plan to use Spring and have a frontend controller layer that takes care of calling the REST services. But i need to have models and POJOs setup same as in the backend to parse the JSON response. This seems like a overload on frontend. How to go around about this?
Case 2 - Plan to use Angular.js. Then i need to have all my REST URLs in the controller.js which is completely accessible for anyone. That way im totally exposing my REST domain, URL and request format. Is it not a security threat? How to go around about this?
Can you please tell me which case is better and secure and how to resolve the problem attached with it?
Secure your REST endpoints using a scheme like OpenId or OAuth or something else. Spring and numerous other web app frameworks have components to help with such authentication.
AngularJS is a client side framework. You can use Angular along with Spring. They are not mutually exclusive.
Finally, any http request (including RESTful http requests) invoked on a client is easily accessed simply by viewing the network traffic. Chrome, Firefox, along with other browsers provide tools, out of the box, that make this very easy to do. All the more reason to secure those REST endpoints.