1. Template injection and DomSanitizer bypass
Angular prevents template injection by compiling templates at build time, not at runtime. However, two patterns bypass this protection. The first is bypassSecurityTrustHtml() used to skip sanitization on user content rendered into the DOM. The second is dynamic component rendering using ComponentFactoryResolver with template strings constructed from user data.
// VULNERABLE pattern: bypassing sanitizer on user-controlled content
@Component({
template: `<div [innerHTML]="userContent"></div>`
})
export class ProfileComponent {
userContent: SafeHtml;
constructor(private sanitizer: DomSanitizer) {
// Bypasses the sanitizer entirely
this.userContent = this.sanitizer.bypassSecurityTrustHtml(this.user.bio);
}
} We audit every call to bypassSecurityTrust* methods in the codebase to determine if user-controlled data reaches them.
2. Route Guard client-side trust issues
Angular Route Guards are JavaScript functions that run in the browser. We test every guarded route by: (1) directly navigating to the route's URL without triggering the guard (by loading the URL directly instead of navigating through the Angular Router), (2) manipulating Angular service state in the browser console to bypass the guard check, and (3) calling the API endpoints that the guarded route fetches directly without any Angular router involvement.
3. HttpClient interceptor token leakage
Angular applications commonly use an HttpInterceptor to attach JWT Bearer tokens to all outgoing requests automatically. We test for two failure modes: (1) the interceptor attaches credentials to requests made to third-party domains (like analytics endpoints, CDN servers, or third-party APIs), which leaks the token to those domains, and (2) the interceptor does not strip credentials from requests to domains the token is not intended for, creating a token misdirection path if any redirect is introduced.
4. Angular Universal SSR data leakage
Angular Universal renders pages server-side. If the server fetches user-specific data during server-side rendering and embeds it into the initial HTML payload (the TransferState object), that server-rendered HTML contains the user's session data in the raw page source. We verify that server-side rendering does not embed sensitive data into the window.__TRANSFER_STATE__ object visible to anyone who views the page source.
bypassSecurityTrustHtml exposing admin panel to XSS
During an audit of an Angular enterprise dashboard for a Nigerian financial services company, we found that the notification component rendered notification messages using bypassSecurityTrustHtml(). Notifications were generated by the backend and included user-submitted content. By submitting a support request containing an HTML script tag, we triggered a stored XSS on every admin user who loaded their notification panel. The script exfiltrated admin session tokens. Fix priority: critical. Remediated by switching to text-based rendering and applying server-side HTML sanitization on all stored notification content.
Running an Angular enterprise portal handling sensitive data? Book a security assessment.
Book an Angular PentestFrequently asked questions
Does Angular's built-in sanitizer prevent all XSS attacks?
Angular's DomSanitizer sanitizes values bound to innerHTML, style, and URL properties. However, bypassing it is possible when developers use bypassSecurityTrust methods (bypassSecurityTrustHtml, bypassSecurityTrustUrl) to skip sanitization on user-controlled content, or when innerHTML is bound directly from an untrusted data source.
What is an Angular Route Guard bypass?
Route Guards (CanActivate, CanLoad) execute client-side checks before rendering a route. If the guard returns true based on a client-side state variable (like a flag in an Angular service), an attacker who modifies that variable in the browser or through XSS can access guarded routes. The API endpoints those routes call must enforce authorization independently.
How do Angular HttpClient interceptors create security risks?
HttpInterceptors automatically attach authentication headers (like Bearer tokens) to outgoing requests. If an interceptor attaches tokens to all requests regardless of the destination domain, it may attach credentials to requests that are redirected to attacker-controlled domains, causing token theft through open redirect chains.
Related reading
Blog: React SPA security testing · Vue and Nuxt security testing · JWT token security
Services: Penetration testing · API security testing