Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Allowlisting resource URLs with wildcards (like ‘**’) in Angular’s $sceDelegateProvider can let the app load scripts or resources from any domain, including untrusted ones. This bypasses Angular’s security controls and increases the risk of malicious content being loaded.
Impact#
If exploited, attackers could inject and execute malicious scripts from external sources, leading to cross-site scripting (XSS) attacks. This can compromise user data, steal authentication tokens, or allow attackers to perform actions on behalf of users, putting both users and the organization at risk.