JavaScript : SCE mode disabled
Classification
Overview
SCE is disabled in the AngularJS application. This can lead to vulnerabilities.
Strict Contextual Escaping (SCE) is a mode in which AngularJS limits binding to display only trusted values. SCE allows you to make the code more secure by preventing attacks such as XSS, clickjacking, and so on.
To systematically block XSS, AngularJS treats all values as untrusted by default. When binding untrusted values, AngularJS automatically launches security checks on them (sanitation, white list of names, depending on the context) or throws an exception when it can not guarantee the safety of the result. This behavior strongly depends on the context: HTML can be “disinfected”, but, for example, URLs do not.
Cross-site scripting (XSS) is one of the most common types of attacks on web applications. XSS attacks take seventh place in the “OWASP Top 10 2017” list of ten most significant vulnerabilities in web applications.
References
- OWASP Top 10-2017 A7-Cross-Site Scripting (XSS)
- OWASP: Cross-site Scripting (XSS)
- CWE-79: Improper Neutralization of Input During Web Page Generation
- Strict Contextual Escaping
- CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration