Code
mustache-security
This place will host a collection of security tips and tricks for JavaScript MVC frameworks and templating libraries.
Our focus will on shedding light on the numerous novel ways to abuse common MVC frameworks to execute arbitrary JavaScript in unexpected situations. We further aim to be able to find a metric for the security of JS MVC frameworks and allow penetration testers as well as developers to save time on attacking and hardening JS MVC-based applications and apps.
A nice set of slides has been created too, you can find it here: JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Currently, the following qualifiers are used to estimate a framework's security level:
- {}SEC-A Are template expressions executed without using
evalorFunction? (yes = pass) - {}SEC-B Is the the execution scope well isolated or sand-boxed? (yes = pass)
- {}SEC-C Can only script elements serve as template containers? (yes = pass)
- {}SEC-D Does the framework allow, encourage or even enforce separation of code and content? (yes = pass)
- {}SEC-E Does the framework maintainer have a security response program? (yes = pass)
- {}SEC-F Does the Framework allow or encourage safe CSP rules to be used (yes = pass)
The project is in the earliest of possible alpha stages - don't expect anything useful before late 2013, early 2014 - a lot of research-in-progress.
Note: We try to maintain this project as good as we can in our spare time. We might (and will) make mistakes - if you spot one let us know please! We'll fix it then. Projects like this cannot live without active participation - don't be a grump, tell us what we did wrong if you feel we did.
Now show me some bugs!
Alright! Here's what we found so far. Some bug reports were already sent, some are still pending - others will probably never be sent successfully as {}SEC-E wasn't considered to be useful. We're working on it!
Security Matrix
Spot a mistake? Let us know! We go for fail if unclear - rather too harsh than too lax.
| Framework | {}SEC-A | {}SEC-B | {}SEC-C | {}SEC-D | {}SEC-E | {}SEC-F | |:--------------|:------------|:------------|:------------|:------------|:------------|:------------| | VueJS | Fail | Fail | Fail | Fail | Fail | Fail | | AngularJS 1.0.8 | Fail | Fail | Fail | Fail | PASS | Fail | | AngularJS 1.2.0 | Fail | PASS | Fail | Fail | PASS | PASS | | AngularJS 1.4.0 | Fail | PASS | Fail | PASS | PASS | PASS | | CanJS | Fail | Fail | PASS | Fail | Fail | Fail | | Underscore.js | Fail | Fail | PASS | Fail | Fail | Fail | | KnockoutJS | Fail | Fail | Fail | Fail | Fail | Fail | | Ember.js | Fail | PASS | PASS | Fail | PASS | TBD | | Polymer | TBD| TBD| TBD| TBD| TBD| TBD | | Ractive.js 0.4.0 | Fail| Fail| Fail| Fail| Fail| Fail | | Ractive.js 0.7.2 | Fail| Fail| PASS| Fail| Fail| Fail | | jQuery | TBD| TBD| TBD| TBD| PASS| TBD | | JsRender | Fail | Fail | Fail | Fail | Fail | Fail | | Kendo UI | Fail | Fail | Fail | Fail | Fail | Fail |
Useful Things
Project Information
The project was created on Aug 3, 2013.
- License: Other Open Source
- Content License: Creative Commons 3.0 BY
- 41 stars
- svn-based source control
Labels:
xss
MVC
mustache
JavaScript