You think your React application is secure? Think again

I had an awesome time presenting at ReactNext Conference 2021 ??

Here are some thoughts from me on why it was different this time ?

This isn't the first frontend conference I'm presenting at, but it's the first time I'm presenting at ReactNext and one of the few times I presented in a React conference to begin with.

I wanted to break-in to the React/frontend world so that I can raise awareness for application security with frontend developers, but I didn't want to just do a talk about generic topics like JWT, Auth, Cookies and such. I wanted the topic to be real application security vulnerabilities.

But, how can you have Cross-site Scripting attacks in React? it's a modern framework.

Developers might be aware of the very apparent dangerouslySetInnerHTML() API that could lead to XSS, but even then, they have edge cases that they must support with adding it. How do they escape it correctly?

Well, you can have XSS issues with React applications beyond just dangerouslySetInnerHTML() usage, and that's what I showed - live hacking a React application due to many potential XSS issues.

The real thrill from the conference is, no doubt, the post-talk conversations. Folks really enjoyed the live coding followed by live hacking on stage. They appreciated the new ideas, and potential pitfalls I shared and they told me that they didn't know many of these things are possible. That's a real win right there for me.

This was a lot of fun!

What else can we hack in React? ?I look forward to next year's edition in June 2022 to show you :-)

--

Liran Tal is a GitHub Star, world-wide recognized for championing open source software and actively working within communities to inspire and lift other humans. A JavaScript & Node.js software developer, building web applications and command-line tools. A web security activist , engaging in security research, software supply chain security, and regular contributor and project lead to OWASP Foundation projects. An avid member of the Node.js Foundation ecosystem security working group, dedicated to advancing Node.js security awareness and skillset in the open source community. Developer Advocate at Snyk.

You can follow Liran on Twitter