CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard

Published 20 hours ago verified publisher icon OWASP

New CS proposal: React Security CheatSheet

Open ronperris opened this issue 4 years ago • 8 comments

What is the proposed Cheat Sheet about?

Building secure React applications by avoiding common vulnerabilities.

What security issues are commonly encountered related to this area?

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-602: Client-Side Enforcement of Server-Side Security CWE-603: Use of Client-Side Authentication CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-89: Improper Neutralization of Special Elements used in an SQL Command CWE-94: Improper Control of Generation of Code ('Code Injection')

What is the objective of the Cheat Sheet?

Examples of vulnerable code and how to fix it.

What other resources exist in this area?

I've written about this topic, and made videos related to it in the past. I want to make some new content that goes deeper and broader here.

https://www.youtube.com/watch?v=VtNotePFuJY https://snyk.io/blog/10-react-security-best-practices/ https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412 https://medium.com/javascript-security/avoiding-xss-via-markdown-in-react-91665479900 https://www.synopsys.com/software-integrity/training/software-security-courses/react-js-security.html

ronperris avatar Feb 20 '21 16:02 ronperris

@ronperris awesome idea! I am looking forward to see your PR on this. Please review XSS and DOM XSS cheatsheets and cross-reference this new CS from them.

mackowski avatar Feb 20 '21 16:02 mackowski

+10000

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Feb 20, 2021, at 11:43 AM, mackowski [email protected] wrote:

 @ronperris awesome idea! I am looking forward to see your PR on this. Please review XSS and DOM XSS cheatsheets and cross-reference this new CS from them.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

jmanico avatar Feb 20 '21 22:02 jmanico

@ronperris do you need any help with this? If you have a draft that you want to share we can add it to drafts directory and we will start sharing our feedback & help.

mackowski avatar Apr 21 '21 07:04 mackowski

@ronperris any updates on this?

mackowski avatar Jun 13 '22 10:06 mackowski

@ronperris do you still want to do this?

mackowski avatar Nov 21 '22 13:11 mackowski

@ronperris my team would also be very interested. Are you still motivated to pick up this task? Can we contribute?

jeroenhabets avatar May 19 '23 10:05 jeroenhabets

@jeroenhabets since @ronperris hasn't responded to previous comments, I think you can start on this if you want to.

szh avatar May 19 '23 13:05 szh

@szh thanks but like @mackowski we'd be willing to e.g. give feedback on a draft but we're not in a position to take the lead here.

jeroenhabets avatar Jun 08 '23 15:06 jeroenhabets