Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

React.js Security

Course Description

React is a popular front-end web framework that has changed the way many people develop applications. While React is fairly secure as is, there are still some things to consider when using it to build applications. This course will teach you how to avoid the common pitfalls developers encounter by assuming React will automatically protect them from all types of security issues.

Learning Objectives

  • Write secure React components
  • Prevent React component injection attacks
  • Securely handle attacker-controlled JSON
  • Avoid vulnerable third-party React component libraries
  • Use client-side routing securely
  • Avoid the use of vulnerable versions of React

Details

Delivery Format: eLearning

Duration: 1 hour

Level: Intermediate

Intended Audience:

  • Front-End Developers

Prerequisites: None

Course Outline

Introduction

  • Securing React Components
  • The Attack Surface
  • The Threats
  • Building Secure React Components
  • XSS via a Spoofed React Element

Avoiding Component Injection Attacks

  • Introduction to Component Injection Attacks
  • Creating React Components
  • React's Auto Escaping
  • Attacker-Controlled Link Values
  • Attacker-Controlled CSS
  • Attacker-Controlled Value in Third-Party Components

Avoiding Attacker-Controlled JSON Exploits

  • JSON Attacks in the React Ecosystem
  • Code Injection via Preloaded State
  • Avoiding Attacker-Controlled JSON Attacks
  • XSS in the Redux Documentation Example Code

Avoiding Vulnerable Third-Party Libraries

  • Reviewing a Module for Code Mistakes
  • Reviewing a Module for Insecure Configuration
  • Judging Modules Based on Metrics
  • Finding Reported Vulnerabilities in React Modules
  • Automation
  • Backdoor Discovered in Popular Module

Avoiding Trust in Client-Side Routing as a Security Control

  • Client-Side Routing
  • Security Controls in React Router
  • Avoiding Client-Side Enforcement of Server-Side Security

Avoiding Vulnerable Versions of React

  • npm audit
  • Upgrading React
  • XSS in Imgur
 

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster