Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking the Frontend

Attacking the Frontend

A lightning talk about common security issues in frontend applications going through XSS, React escape hatches, resource and encoding urls

Callum Silcock

July 07, 2023
Tweet

More Decks by Callum Silcock

Other Decks in Technology

Transcript

  1. COMMON ISSUES Code injection How does the web app handle

    unexpected data XSS "Cross Site Scripting" Attacker submitted code run in browser CSP by itself cannot prevent XSS HTML elements can run code!
  2. REACT Context sensitive output encoding out of the box until

    you use something with the word dangerous in front of it React will protect you from yourself
  3. DANGEROUSLYSETINNERHTML Don't use this + the linter will yell at

    you if you do Needs DOMPurify if you need to use it {dangerouslySetInnerHTML: DOMPurify.sanitize({html})}
  4. ESCAPE HATCHES Bypass react and access native DOM APIs Direct

    DOM Manipulation Good news: React is deprecating this should be disallowed findDOMNode innerHTML createRef is not
  5. ENCODING URLS Avoid taking full URL as an input Do

    URL sanitisation Nextjs does this for us Should allowlist certain urls
  6. RESOURCE URLS Javascript & Resource URLs can be a potential

    sink are being disallowed from React 17+ data. still runs
  7. BEST PRACTICES "If you are going to the DOM directly,

    talk to security" CSRF Cookies should have samesite set (or better be secure)
  8. RESOURCES is a deliberately vulnerable app you can play around

    with React has a guide on A collection of escape hatches exploring React.__SECRET_INTERNALS_DO_NOT _USE_OR_YOU_WILL_BE_FIRED ReactVulna escape hatches Its-fine