AngularJS reported as low vulnerability, should be higher due to deprecation and known exploits

[globeone]

Describe the bug

When passive scanning for Dangerous JavaScript Functions ZAP reports back that it found AngularJS but marks it as low. AngularJS was deprecated December 31st, 2021 and no longer receives security patches or updates. There are known exploits for AngularJS such as stealing data using the $SCOPE variable. When AngularJS is found then ZAP should report this as high and give the advice to upgrade to regular Angular or another framework like React.

Steps to reproduce the behavior

Enter a URL and do a manual explore when the Passive Scanner comes across AngularJS it will flag it as Low risk, Low confidence

Expected behavior

When finding a javascript library with many known vulnerabilities ZAP should flag this as high risk, high confidence

Software versions

OWASP ZAP Version: D-2022-08-01

Installed Add-ons: [[id=accessControl, version=8.0.0], [id=alertFilters, version=14.0.0], [id=ascanrules, version=47.0.0], [id=ascanrulesAlpha, version=38.0.0], [id=ascanrulesBeta, version=42.0.0], [id=attacksurfacedetector, version=1.1.4], [id=authstats, version=2.0.0], [id=automation, version=0.17.0], [id=bruteforce, version=12.0.0], [id=callhome, version=0.5.0], [id=commonlib, version=1.10.0], [id=coreLang, version=16.0.0], [id=custompayloads, version=0.11.0], [id=diff, version=12.0.0], [id=directorylistv1, version=6.0.0], [id=directorylistv2_3, version=4.0.0], [id=directorylistv2_3_lc, version=4.0.0], [id=domxss, version=13.0.0], [id=encoder, version=0.7.0], [id=exim, version=0.3.0], [id=fileupload, version=1.1.0], [id=formhandler, version=6.0.0], [id=fuzz, version=13.7.0], [id=gettingStarted, version=14.0.0], [id=graaljs, version=0.3.0], [id=graphql, version=0.10.0], [id=help, version=15.0.0], [id=hud, version=0.14.0], [id=imagelocationscanner, version=3.0.0], [id=invoke, version=12.0.0], [id=jsonview, version=2.0.0], [id=network, version=0.3.0], [id=oast, version=0.11.0], [id=onlineMenu, version=10.0.0], [id=openapi, version=28.0.0], [id=plugnhack, version=13.0.0], [id=portscan, version=10.0.0], [id=pscanrules, version=43.0.0], [id=pscanrulesAlpha, version=35.0.0], [id=pscanrulesBeta, version=30.0.0], [id=quickstart, version=34.0.0], [id=reflect, version=0.0.11], [id=regextester, version=2.0.0], [id=replacer, version=10.0.0], [id=reports, version=0.16.0], [id=requester, version=7.0.0], [id=retest, version=0.3.0], [id=retire, version=0.13.0], [id=reveal, version=5.0.0], [id=revisit, version=4.0.0], [id=scripts, version=31.0.0], [id=selenium, version=15.10.0], [id=sequence, version=7.0.0], [id=soap, version=14.0.0], [id=spiderAjax, version=23.8.0], [id=sqliplugin, version=15.0.0], [id=tips, version=10.0.0], [id=tokengen, version=15.0.0], [id=treetools, version=8.0.0], [id=wappalyzer, version=21.11.0], [id=webdriverlinux, version=42.0.0], [id=webdrivermacos, version=43.0.0], [id=webdriverwindows, version=42.0.0], [id=websocket, version=27.0.0], [id=zest, version=36.0.0]]

Operating System: Windows 10 Architecture: amd64 Java Version: Eclipse Adoptium 17.0.3 System's Locale: en_US Display Locale: en_GB Format Locale: en_US Default Charset: UTF-8 ZAP Home Directory: C:\Users\$USER\OWASP ZAP_D\ ZAP Installation Directory: C:\Users\$USER\LocalPrograms\ZAPWeekly\ZAP_D-2022-08-01.\ Look and Feel: FlatLaf Light (com.formdev.flatlaf.FlatLightLaf)

Screenshots

Errors from the zap.log file

This is not an error from the logs but a incorrect classification.

Additional context

Here is the blogpost van Angular explaining the deprecation and that AngularJS is no longer supported https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a

Here are the upgrade instructions to upgrade angular https://angular.io/guide/upgrade

Here is one of the CVE's in AngularJS CVE-2019-14863 There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Would you like to help fix this issue?

• [X] Yes

[psiinon]

Can you check if the RetireJS add-on reports this? https://www.zaproxy.org/docs/desktop/addons/retire.js/ The Dangerous JS Functions rule will not have the context to understand that its AngularJS...

[kingthorin]

To be clear the Alert you quoted is about the use of that specific function, the place it was identified just happens to be in an angular JS file, NOT use of AngularJS itself.

[kingthorin]

@psiinon I've just checked the upstream data file, I don't see anything about EoL for AngularJS. I'll open an issue.

[kingthorin]

https://github.com/RetireJS/retire.js/issues/385

[kingthorin]

I've also created an upstream PR for the mentioned CVE: https://github.com/RetireJS/retire.js/pull/386

[globeone]

Thanks, I get lost in the complexity of what detects what sometimes.

[thc202]

@globeone could you check zaproxy/zap-extensions#3743 ?

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.