ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
๐Ÿ” Angular Security in Production: How XSS Protection, DomSanitizer, and CSRF Defenses Actually Fit Together
Dev.toDev.to
Security

Angular SecurityContext ๊ธฐ๋ฐ˜ ์ž๋™ Sanitization ์ฒด๊ณ„์™€ Bypass ๋ฆฌ์Šคํฌ ๊ด€๋ฆฌ ์ „๋žต

๐Ÿ” Angular Security in Production: How XSS Protection, DomSanitizer, and CSRF Defenses Actually Fit Together

ABDELAAZIZ OUAKALA2026๋…„ 6์›” 29์ผ16๋ถ„intermediate

Context

์—”ํ„ฐํ”„๋ผ์ด์ฆˆ Angular ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ๋ฐœ์ƒํ•˜๋Š” XSS ์ทจ์•ฝ์  ๋Œ€๋ถ€๋ถ„์ด ํ”„๋ ˆ์ž„์›Œํฌ ๊ฒฐํ•จ์ด ์•„๋‹Œ ๊ธฐ๋ณธ ๋ณด์•ˆ ๋ชจ๋ธ ์šฐํšŒ ์„ค์ •์œผ๋กœ ์ธํ•ด ๋ฐœ์ƒํ•จ. ๊ฐœ๋ฐœ ํŽธ์˜๋ฅผ ์œ„ํ•ด DomSanitizer์˜ Bypass ๋ฉ”์„œ๋“œ๋ฅผ ๋ฌด๋ถ„๋ณ„ํ•˜๊ฒŒ ์‚ฌ์šฉํ•˜๋ฉฐ ๋ณด์•ˆ ํŒŒ์ดํ”„๋ผ์ธ์„ ๋ฌด๋ ฅํ™”ํ•˜๋Š” ๊ตฌ์กฐ์  ํ•œ๊ณ„์ ์ด ์กด์žฌํ•จ.

Technical Solution

  • Interpolation ๋ฐ Property Binding ์‹œ SecurityContext๋ฅผ ํ†ตํ•œ ์ž๋™ Escaping ๋ฐ Sanitization ์ˆ˜ํ–‰ ๊ตฌ์กฐ
  • HTML, STYLE, URL, RESOURCE_URL ๋“ฑ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ Œ๋”๋ง๋˜๋Š” ์ง€์ ์— ๋”ฐ๋ฅธ 4๊ฐ€์ง€ ์ปจํ…์ŠคํŠธ๋ณ„ ์ฐจ๋“ฑ ๋ณด์•ˆ ์ •์ฑ… ์ ์šฉ
  • DomSanitizer์˜ sanitize() ๋ฉ”์„œ๋“œ๋ฅผ ํ†ตํ•œ ๋Ÿฐํƒ€์ž„ ๊ฐ’ ๊ฒ€์ฆ ๋ฐ ๋„ ์ฒ˜๋ฆฌ ๊ธฐ๋ฐ˜์˜ Graceful Fallback ๊ตฌํ˜„
  • bypassSecurityTrust* ๊ณ„์—ด ๋ฉ”์„œ๋“œ ์‚ฌ์šฉ ์‹œ Safe* ํƒ€์ž…์œผ๋กœ ๊ฐ•์ œ ๋ณ€ํ™˜ํ•˜์—ฌ ๋ช…์‹œ์ ์ธ Trust ๋ถ€์—ฌ ๋ฐ ๊ฐ์‚ฌ ์ถ”์  ๊ฐ€๋Šฅ ๊ตฌ์กฐ ์„ค๊ณ„
  • RESOURCE_URL ์ปจํ…์ŠคํŠธ์— ๋Œ€ํ•ด ๊ฐ€์žฅ ์—„๊ฒฉํ•œ ์‹ ๋ขฐ ์ˆ˜์ค€์„ ์ ์šฉํ•˜์—ฌ ์ž„์˜ ์ฝ”๋“œ ์‹คํ–‰(RCE) ๊ฐ€๋Šฅ์„ฑ์„ ์›์ฒœ ์ฐจ๋‹จํ•˜๋Š” ์ „๋žต

1. codebase ๋‚ด bypassSecurityTrustHtml, bypassSecurityTrustScript ๋“ฑ Bypass ๋ฉ”์„œ๋“œ ์‚ฌ์šฉ์ฒ˜ ์ „์ˆ˜ ์กฐ์‚ฌ

2. [innerHTML] ๋ฐ”์ธ๋”ฉ ๋Œ€์ƒ ๋ฐ์ดํ„ฐ๊ฐ€ ์ƒ์œ„ ์ŠคํŠธ๋ฆผ์—์„œ ์ด๋ฏธ Trusted ์ƒํƒœ๋กœ ๋งˆํ‚น๋˜์—ˆ๋Š”์ง€ ๊ฒ€์ฆ

3. ๋‹จ์ˆœ ํ…์ŠคํŠธ ์ถœ๋ ฅ ์‹œ [innerHTML] ๋Œ€์‹  {{ }} Interpolation ์‚ฌ์šฉ ์—ฌ๋ถ€ ํ™•์ธ

4. ์™ธ๋ถ€ ๋ฆฌ์†Œ์Šค ๋กœ๋“œ ์‹œ RESOURCE_URL ์ปจํ…์ŠคํŠธ ์ค€์ˆ˜ ์—ฌ๋ถ€ ๋ฐ CSP(Content Security Policy) ์„ค์ • ๊ฒ€ํ† 

์›๋ฌธ ์ฝ๊ธฐ