{"id":23265671,"url":"https://github.com/fatihtuzunn/vulnerable_react_app","last_synced_at":"2025-04-06T07:33:52.934Z","repository":{"id":267979929,"uuid":"902534617","full_name":"fatihtuzunn/vulnerable_react_app","owner":"fatihtuzunn","description":" vulnerable React.js application designed for pentestting. It includes common web vulnerabilities such as NoSQL Injection, Cross-Site Scripting (XSS), Open Redirect, and Session Management Issues.","archived":false,"fork":false,"pushed_at":"2024-12-13T16:04:44.000Z","size":3465,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-12T12:56:54.996Z","etag":null,"topics":["hacking","javascript","pentesting","react","reactjs","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fatihtuzunn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-12-12T18:54:36.000Z","updated_at":"2024-12-15T14:50:47.000Z","dependencies_parsed_at":"2024-12-13T17:34:21.173Z","dependency_job_id":"a74ec37d-663f-4b50-9534-ec076681b1e5","html_url":"https://github.com/fatihtuzunn/vulnerable_react_app","commit_stats":null,"previous_names":["fatihtuzunn/vulnerable_react_app"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fatihtuzunn%2Fvulnerable_react_app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fatihtuzunn%2Fvulnerable_react_app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fatihtuzunn%2Fvulnerable_react_app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fatihtuzunn%2Fvulnerable_react_app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fatihtuzunn","download_url":"https://codeload.github.com/fatihtuzunn/vulnerable_react_app/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247450632,"owners_count":20940934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking","javascript","pentesting","react","reactjs","security"],"created_at":"2024-12-19T15:31:24.405Z","updated_at":"2025-04-06T07:33:52.903Z","avatar_url":"https://github.com/fatihtuzunn.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vulnerable React.js Application\n\nThis repository contains a vulnerable React.js application intentionally designed for educational and security testing purposes. The application includes common web vulnerabilities such as **NoSQL Injection**, **Cross-Site Scripting (XSS)**, **Open Redirect**, and **Session Management Issues**.\n\n\u003e **Disclaimer:** This project is for learning and demonstration purposes only. Do not deploy this application on public servers or use it in production environments.\n\n---\n\n## **Vulnerabilities Overview**\n\n### 1. **NoSQL Injection**\n- **Description:** The application allows malicious queries in API endpoints, enabling NoSQL injection attacks.\n- **Example Exploit:**\n  ```json\n  {\n    \"username\": { \"$ne\": null },\n    \"password\": { \"$ne\": null }\n  }\n  ```\n\n### 2. **Cross-Site Scripting (XSS)**\n- **Description:** User input is directly rendered into the DOM without sanitization.\n- **Example Exploit:**\n  ```html\n  \u003cscript\u003ealert('XSS Exploit');\u003c/script\u003e\n  ```\n\n### 3. **Open Redirect**\n- **Description:** Redirect logic accepts unvalidated URLs, allowing attackers to redirect users to malicious websites.\n- **Example Exploit:**\n  ```plaintext\n  https://example.com/redirect?redirect=http://malicious.com\n  ```\n\n### 4. **Session Management Issues**\n- **Description:** Sessions are managed using insecure methods such as localStorage without expiration or secure flags.\n- **Example Exploit:**\n  - Lack of token expiration.\n\n---\n\n## **Installation Instructions**\n\n1. **Clone the Repository:**\n   ```bash\n   cd vulnerable-react-app\n   ```\n\n2. **Install Dependencies:**\n   ```bash\n   npm install\n   ```\n\n3. **Start the Application:**\n   ```bash\n   npm start\n   ```\n\n4. **Access the Application:**\n   Open [http://localhost:3000](http://localhost:3000) in your browser.\n\n---\n4. **For nosql:**\n```bash\n   cd /backend\n   node server.js\n   ```\n## **How to Use for Security Testing**\n\n- Use common penetration testing tools like **Burp Suite**, **OWASP ZAP**, or **Postman**.\n- Perform manual tests to identify vulnerabilities.\n- Inject payloads in input fields to test for XSS, NoSQL Injection, and Open Redirects.\n\n---\n\n## **Educational Goals**\n- Understand common web application vulnerabilities.\n- Learn about secure development practices.\n- Practice using security testing tools.\n\n---\n\n## **Security Best Practices Recommendations**\n\n1. **NoSQL Injection Prevention:**\n   - Use parameterized queries.\n   - Validate and sanitize all input.\n\n2. **XSS Prevention:**\n   - Use libraries like `DOMPurify`.\n   - Escape user-generated content.\n\n3. **Open Redirect Prevention:**\n   - Validate and restrict redirect URLs.\n   - Use a whitelist of allowed domains.\n\n4. **Session Management Security:**\n   - Use `httpOnly` and `secure` flags for cookies.\n   - Implement token expiration and refresh mechanisms.\n\n---\n\n## **Contributions and Support**\n- Feel free to open issues or submit pull requests for improvements.\n\n---\n\n## **License**\nThis project is licensed under the MIT License. See the `LICENSE` file for details.\n\n---\n\n\u003e **Important Notice:** Use this project responsibly. Do not use the code or knowledge gained from this repository for malicious activities. The authors are not responsible for any misuse of this application.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffatihtuzunn%2Fvulnerable_react_app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffatihtuzunn%2Fvulnerable_react_app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffatihtuzunn%2Fvulnerable_react_app/lists"}