Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mike Poole 53 posts 165 karma points
    Dec 10, 2021 @ 12:57
    Mike Poole
    0

    Penetration testing with AngularJS/1.x

    Our current applications are being flagged in their penetration tests as having critical issues due to the use of AngularJS which goes EOL on 31 Dec 2021

    I note that Umbraco 9 has Angular 1.8 - is this something that will be moved away from soon? Was this something that was flagged in the Sept 2021 penetration test or is anticipated to be flagged in the March 2022 test?

    Thanks

    Mike

  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Dec 11, 2021 @ 09:27
    Jeffrey Schoemaker
    2

    Hi Mike,

    as far as I know Angular 1.8 will be replaced when the new backoffice is launched and that is not planned yet. I'm pretty sure that it certainly will not be part of Umbraco 10, and I even doubt if Umbraco 11 will have a new backoffice.

    So probably you have to deal with Angular 1.8 unfortunately :S

    We, as a digital agency, also get these issues from pen tests. Your best way out of this is by IP whitelisting your backoffice (/umbraco/) to specific IP adresses. This will dramatically decrease the attack surface, because only a limited number of editors will have access from specific IP addresses. And in what world would we live even we cannot trust our editors anymore ;)!

    The process to IP whitelisting is really well documented over here: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/

    Hope this helps! Have a nice & safe weekend!

    Jeffrey

  • Mike Poole 53 posts 165 karma points
    Dec 14, 2021 @ 14:14
    Mike Poole
    0

    Thanks Jeffrey, that is really helpful

    I suppose what I am really after is a way to mitigate/explain to any pen tester who raises the use of AngularJS after end of life within Umbraco as a critical/high issue

    Whitelisting is one approach to lessen the vulnerability but if a client sees the pen test and questions why a product that contains an out of support framework is being used, I need something to go back to them with

    I fully appreciate why Umbraco do not publish their pen test results and am more than confident they release security patches for critical vulnerabilities but as we are working towards removing AngularJS from our products for this EOL reason, why/how Umbraco are able to justify its continued use

Please Sign in or register to post replies

Write your reply to:

Draft