A React application riddled with security vulnerabilities so you can learn how not to write insecure code.
For a local installation, make sure you have the following dependencies installed:
- Node.js v14 (other versions don't work)
- npm
Easiest method is to run the React app through a containerized image.
The docker-compose.yml file also mounts the ./src directory to the container so you can easily edit source files on the host, and enjoy the fast development experience of hot reloading.
To run the containerized version, run the following command:
docker-compose up --buildNote: passing the --build will allow it to re-build the container image if anything changed that would require a new Docker image too.
If you've made significant changes that require re-building the container image, such as by adding a new dependency, you can run the following command:
docker-compose up --build-
Change the
src/database.jsonto one of:javascript:alert(1)JAVAscript:alert(1)\x19JAVAscript:alert(1)
-
Use the
PackageParsercomponent but supply it a string instead of a JSON object:- It uses
react-json-prettyvulnerable package version - Set
src/database.jsonto<img src=x on Error=alert(1) />
- It uses
Modern frontend frameworks like React are well thought of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real world with React Suspended educational experience.
- Copyright 2020 Creative Tim (https://www.creative-tim.com/?ref=blkdsr-readme)
- Copyright 2021 Liran Tal ([email protected])
- Licensed under MIT (https://github.com/creativetimofficial/blk-design-system-react/blob/main/LICENSE.md)
This codebase makes use of derivative work created by Creative Tim, in particular their open source website design # Blk• Design System React. I used their work because it provided me with a realistic and functional React application, completely designed too, which allowed me to speed up my work on the security aspects.
Liran Tal [email protected]