search

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
https://cheatsheetseries.owasp.org
Creative Commons Attribution Share Alike 4.0 International
27.59k stars 3.87k forks source link

New CS proposal: React Security CheatSheet #543

Open ronperris opened 3 years ago

ronperris commented 3 years ago

What is the proposed Cheat Sheet about?

Building secure React applications by avoiding common vulnerabilities.

What security issues are commonly encountered related to this area?

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-602: Client-Side Enforcement of Server-Side Security CWE-603: Use of Client-Side Authentication CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-89: Improper Neutralization of Special Elements used in an SQL Command CWE-94: Improper Control of Generation of Code ('Code Injection')

What is the objective of the Cheat Sheet?

Examples of vulnerable code and how to fix it.

What other resources exist in this area?

I've written about this topic, and made videos related to it in the past. I want to make some new content that goes deeper and broader here.

https://www.youtube.com/watch?v=VtNotePFuJY https://snyk.io/blog/10-react-security-best-practices/ https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 https://medium.com/javascript-security/avoiding-xss-via-markdown-in-react-91665479900 https://www.synopsys.com/software-integrity/training/software-security-courses/react-js-security.html

mackowski commented 3 years ago

@ronperris awesome idea! I am looking forward to see your PR on this. Please review XSS and DOM XSS cheatsheets and cross-reference this new CS from them.

jmanico commented 3 years ago

+10000

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Feb 20, 2021, at 11:43 AM, mackowski notifications@github.com wrote:

 @ronperris awesome idea! I am looking forward to see your PR on this. Please review XSS and DOM XSS cheatsheets and cross-reference this new CS from them.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

mackowski commented 3 years ago

@ronperris do you need any help with this? If you have a draft that you want to share we can add it to drafts directory and we will start sharing our feedback & help.

mackowski commented 2 years ago

@ronperris any updates on this?

mackowski commented 1 year ago

@ronperris do you still want to do this?

jeroenhabets commented 1 year ago

@ronperris my team would also be very interested. Are you still motivated to pick up this task? Can we contribute?

szh commented 1 year ago

@jeroenhabets since @ronperris hasn't responded to previous comments, I think you can start on this if you want to.

jeroenhabets commented 1 year ago

@szh thanks but like @mackowski we'd be willing to e.g. give feedback on a draft but we're not in a position to take the lead here.