Giter Club home page Giter Club logo

bug-collection's Introduction

Welcome to MetroBook Store, highly vulnerable web application.

This application was intentionally impregnated with vulnerabilities and has a test bench to prove the concepts of vulnerabilities in the React application.

The application uses React/Next/Typescript/MongoDB

Here is working web-version, deployed on Vercel https://metrobooks.vercel.app/

There are:

  • 1 broken access control (A01:2021-Broken Access Control) [pages/account/index.tsx]
  • 3 plain text secret tokens hardcoded (A02:2021-Cryptographic Failures) [data/constants.ts]
  • 9 markup injections (A03:2021-Injection) [components/testLib]
  • 5 business logic injections (A03:2021-Injection) [components/testLib]
  • 5 DB injections (A03: 2021-Injection) [pages/api/bio/index.ts, pages/api/auth/authenticate/index.ts, pages/api/inventory/, pages/api/signup/index.ts]
  • 8 system information disclosure (A04:2021-Insecure Design ) [next.config.js, components/testLib/poc_PrototypePollution/PrototypePollution.tsx, pages/dashboard/index.tsx, components/testLib/safe_BaseService/BaseServiceComponent.tsx]
  • 1 account enumeration failure (A05:2021-Security Misconfiguration ) [pages/login/index.tsx]
  • 2 vulnerable components (A06:2021-Vulnerable and Outdated Components)
  • 5 authorisation failures (A07:2021-Identification and Authentication Failures) [pages/api/bio/index.ts, pages/api/dashboard-data/index.ts, pages/api/inventory, pages/api/users/index.ts]
  • 1 the session identifier in the URL exposure (A07:2021–Identification and Authentication Failures) [components/testLib/safe_BaseService/BaseServiceComponent.tsx:11]
  • 1 Insecure deserialization of untrusted data & prototype pollution (A08:2021 – Software and Data Integrity Failures) [components/testLib/poc_PrototypePollution/PrototypePollution.tsx]
  • 1 logging failure (A09:2021-Security Logging and Monitoring Failures)
  • Bad protocol settings .yaml

Sample dataflow:

Future developments:

  1. ReactDOMServer.renderToStaticMarkup
  2. vulnerable iframe

https://venngage.com/tools/accessible-color-palette-generator

bug-collection's People

Contributors

valentin-panov avatar

Stargazers

Mitesh Mehla avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.