Added ReactJS exercise

.dockerignore

@@ -1 +1,5 @@
-node_modules
+.vscode
+.eslintrc.json
+.eslintrc.js
+node_modules/
+vuln_react_app/build/

.env

@@ -1,6 +1,6 @@
 DB_PORT=3306
 DB_NAME=vuln_nodejs_app
-DB_USER=root
-DB_PASS=secret
+DB_USER=vuln_nodejs_user
+DB_PASS=passw0rd
 HOST_PORT=9000
-JWT_SECRET="secret"
+JWT_SECRET=secret

.gitignore

@@ -2,3 +2,4 @@
 .eslintrc.json
 .eslintrc.js
 node_modules/
+vuln_react_app/build/

Dockerfile

@@ -4,5 +4,6 @@ COPY package*.json ./
 RUN npm install
 RUN npm install nodemon -g
 COPY . .
+RUN npm run build
 EXPOSE 9000
 CMD ["node", "server.js"]

README.md

@@ -38,7 +38,7 @@ cd ./vuln-nodejs-app
 2. Create **mysql** database.
 
 ```bash
-$ mysql -u root -p
+$ mysql -u <mysql_user> -p
 
 mysql> create database vuln_nodejs_app;
 
@@ -61,7 +61,13 @@ HOST_PORT=9000
 npm install
 ```
 
-5. Start the server
+5. Build ReactJs frontend.
+
+```bash
+npm run build
+```
+
+6. Start the server
 
 ```bash
 node server.js
@@ -87,7 +93,7 @@ access the application http://localhost:9000
 * 2FA Insecure Implementation
 * Cross-Site WebSocket Hijacking
 * WebSocket XSS
-
+* ReactJS XSS
 
 ## TODO:
 

controllers/vuln_handler.js

@@ -9,7 +9,8 @@ var ejs = require('ejs');
 var html_to_pdf = require('html-pdf-node');
 const { Op, and } = require('sequelize')
 const md5 = require('md5');
-const twofactor = require('node-2fa')
+const twofactor = require('node-2fa');
+const path = require('path');
 
 var con = mysql.createConnection({
     database: process.env.DB_NAME,
@@ -469,22 +470,44 @@ const totp_disable_post = (req, res) => {
     }
 }
 
-const websocket_hijacking_get = (req, res)=> {
-    Wallet.findOne({where:{username: req.user.username}}, {attributes:['BTC', 'ETH']})
-    .then((crypto_balance)=>{
-        res.render('cross-site-websocket-hijacking',{
-            BTC: crypto_balance.BTC,
-            ETH: crypto_balance.ETH
-        });  
-    })
+const websocket_hijacking_get = (req, res) => {
+    Wallet.findOne({ where: { username: req.user.username } }, { attributes: ['BTC', 'ETH'] })
+        .then((crypto_balance) => {
+            res.render('cross-site-websocket-hijacking', {
+                BTC: crypto_balance.BTC,
+                ETH: crypto_balance.ETH
+            });
+        })
 }
 
-const websocket_xss_get = (req, res)=> {
+const websocket_xss_get = (req, res) => {
     res.render('websocket-xss', {
         username: req.user.username
     })
 }
 
+const react_xss_get = (req, res) => {
+    res.sendFile(path.resolve(__dirname, '../vuln_react_app/build', 'index.html'));
+}
+
+const react_xss_post = (req, res) => {
+    console.log(req);
+    res.header("Access-Control-Allow-Origin", req.get('origin'));
+    res.header("Access-Control-Allow-Credentials", 'true');
+    res.send({name:req.body.name, email: req.body.email, website: req.body.website});
+}
+
+const react_xss_options = (req, res) => {
+    if (req.get('origin') !== undefined) {
+        res.header("Access-Control-Allow-Origin", req.get('origin'));
+        res.header("Access-Control-Allow-Credentials", 'true');
+        res.header("Access-Control-Allow-Methods", 'GET, POST');
+        res.header("Access-Control-Allow-Headers", 'Content-Type');
+        res.header("Access-Control-Max-Age", '5');
+    }
+    res.send(200);
+}
+
 module.exports = {
     app_index,
     xss_lab,
@@ -532,5 +555,8 @@ module.exports = {
     login_totp_verification_post,
     totp_disable_post,
     websocket_hijacking_get,
-    websocket_xss_get
+    websocket_xss_get,
+    react_xss_get,
+    react_xss_options,
+    react_xss_post
 }

docker-compose.yml

@@ -39,7 +39,7 @@ services:
       DB_PORT: ${DB_PORT}
       SERVICE_TAGS: prod
       SERVICE_NAME: nodeappservice
-      JWT_SECRET: secret
+      JWT_SECRET: ${JWT_SECRET}
     depends_on:
       - mysqldb
     networks:

package.json

@@ -20,7 +20,8 @@
     "x-xss-protection": "^2.0.0"
   },
   "scripts": {
-    "start": "nodemon server.js"
+    "start": "nodemon server.js",
+    "build": "cd vuln_react_app && npm install && npm run build"
   },
   "name": "vuln-nodejs-app",
   "version": "1.0.0",

routes/app.js

@@ -108,4 +108,9 @@ router.get('/cross-site-websocket-hijacking', auth_controller.authenticateToken,
 
 router.get('/websocket-xss', auth_controller.authenticateToken, vuln_handler.websocket_xss_get);
 
+router.route('/react-xss')
+    .get(auth_controller.authenticateToken, vuln_handler.react_xss_get)
+    .options(vuln_handler.react_xss_options)
+    .post(vuln_handler.react_xss_post);
+
 module.exports = router;

server.js

@@ -5,7 +5,8 @@ const cookieParser = require('cookie-parser');
 const jwt = require('jsonwebtoken');
 const { Users, Wallet } = require('./models/db')
 const cookie = require('cookie');
-const request = require('request')
+const request = require('request');
+const path = require('path')
 
 require("dotenv").config();
 
@@ -15,6 +16,7 @@ app.use(express.json());
 
 app.use(router);
 app.use(express.static('./assets'))
+app.use(express.static(path.resolve(__dirname, './vuln_react_app/build')));
 
 app.set('view engine', 'ejs');
 

views/index.ejs

@@ -1,4 +1,3 @@
-<!doctype html>
 <html lang="en">
 
 <head>
@@ -194,10 +193,11 @@
     <div class="col-sm-6">
       <div class="card">
         <div class="card-body">
-          <h5 class="card-title">WebSocket XSS</h5>
-          <p class="card-text">Application is using websocket for real-time chat feature, But has only implemented client side input santization.</p>
+          <h5 class="card-title">ReactJS XSS</h5>
+          <p class="card-text">Application is using ReactJS which provides by default protection from XSS your goal is to
+            perform XSS in ReactJS applications.</p>
           <br>
-          <a href="/websocket-xss" class="btn btn-primary">Exploit -&#x3e;</a>
+          <a href="/react-xss" class="btn btn-primary">Exploit -&#x3e;</a>
         </div>
       </div>
     </div>

vuln_react_app/.gitignore

@@ -0,0 +1,23 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+
+# testing
+/coverage
+
+# production
+/build
+
+# misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

vuln_react_app/README.md

@@ -0,0 +1,70 @@
+# Getting Started with Create React App
+
+This project was bootstrapped with [Create React App](https://github.com/facebook/create-react-app).
+
+## Available Scripts
+
+In the project directory, you can run:
+
+### `npm start`
+
+Runs the app in the development mode.\
+Open [http://localhost:3000](http://localhost:3000) to view it in your browser.
+
+The page will reload when you make changes.\
+You may also see any lint errors in the console.
+
+### `npm test`
+
+Launches the test runner in the interactive watch mode.\
+See the section about [running tests](https://facebook.github.io/create-react-app/docs/running-tests) for more information.
+
+### `npm run build`
+
+Builds the app for production to the `build` folder.\
+It correctly bundles React in production mode and optimizes the build for the best performance.
+
+The build is minified and the filenames include the hashes.\
+Your app is ready to be deployed!
+
+See the section about [deployment](https://facebook.github.io/create-react-app/docs/deployment) for more information.
+
+### `npm run eject`
+
+**Note: this is a one-way operation. Once you `eject`, you can't go back!**
+
+If you aren't satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project.
+
+Instead, it will copy all the configuration files and the transitive dependencies (webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you're on your own.
+
+You don't have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn't feel obligated to use this feature. However we understand that this tool wouldn't be useful if you couldn't customize it when you are ready for it.
+
+## Learn More
+
+You can learn more in the [Create React App documentation](https://facebook.github.io/create-react-app/docs/getting-started).
+
+To learn React, check out the [React documentation](https://reactjs.org/).
+
+### Code Splitting
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/code-splitting](https://facebook.github.io/create-react-app/docs/code-splitting)
+
+### Analyzing the Bundle Size
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size](https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size)
+
+### Making a Progressive Web App
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app](https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app)
+
+### Advanced Configuration
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/advanced-configuration](https://facebook.github.io/create-react-app/docs/advanced-configuration)
+
+### Deployment
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/deployment](https://facebook.github.io/create-react-app/docs/deployment)
+
+### `npm run build` fails to minify
+
+This section has moved here: [https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify](https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify)