Javascript Insecure Sce Configuration

Description

Detects when AngularJS Strict Contextual Escaping (SCE) is explicitly disabled in the application configuration. Disabling SCE removes a critical XSS protection mechanism, allowing potentially malicious content to be rendered without proper sanitization.

Weakness:

008 - Reflected cross-site scripting (XSS)

Category: Unexpected Injection

Detection Strategy

• Search for assignments or configurations involving '$sceProvider.enabled'

• Check if the configuration value explicitly disables the SCE service (set to false or 0)

• Report a vulnerability when SCE is disabled, as this removes built-in XSS protections

Vulnerable code example

// Initialize Angular application
var app = angular.module('myApp', []);

app.config(function($sceProvider) {
  // SECURITY RISK: Disabling SCE removes protection against XSS attacks
  $sceProvider.enabled(false);
});

✅ Secure code example

// Initialize Angular application
var app = angular.module('myApp', []);

app.config(function($sceProvider) {
  // SECURE: Explicitly enable SCE for XSS protection (this is also default behavior)
  $sceProvider.enabled(true);
});

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.