Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
23 Jan 2017
31 Oct 2016
How to fix?
AngularJS.Core to version 1.5.9 or higher.
AngularJS.Core is an AngularJS.* package for other Angular modules within .NET.
Affected versions of this package are vulnerable to Content Security Policy (CSP) Bypass. Extension URIs (
resource://...) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacker can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.