Client-side JavaScript frameworks bring a lot of functionality and logic to the front-end. With all this code running in the browser, do they impose extra risks to the applications? Frameworks like AngularJS incorporate many security features like context-aware encoding and CSRF protection, but they also leave gaps and traps in which developers may fall when putting too much trust into client side code. In this presentation we will look at the security controls provided by the AngularJS framework out of the box and the security defects that still reside in the Angular code and available plugins. Attendees will see demonstrations of several attacks, such as a DOM-XSS, a template injection, and a sandbox bypass.