Pentest Testing Corp

Your CCTV NVR Is a Server (Treat It Like One)

If you manage CCTV or NVR gear in a small business, treat it like a production server—not a “set-and-forget” appliance. CISA added the Digiever DS-2105 Pro NVR vulnerability (CVE-2023-52163) to the Known Exploited Vulnerabilities (KEV) catalog amid active exploitation, proving that “non-IT” devices can quickly become botnet footholds and lateral-movement launchpads.

This post turns the Digiever DS-2105 Pro incident into an actionable IoT patch hygiene program SMBs can run without a huge budget—with configs, scripts, and audit-friendly evidence you can hand to leadership, auditors, or your MSP.

TL;DR: The 7-Fix Playbook

Find every NVR (including Digiever DS-2105 Pro) and assign an owner

Remove internet exposure: no port forwards, no inbound WAN to NVRs

Disable UPnP so routers don’t reopen ports automatically

Isolate NVRs on a dedicated CCTV VLAN and restrict egress (default-deny)

Lock down admin access: unique creds, least privilege, MFA via VPN/jump

Patch on a KEV-driven emergency workflow; use compensating controls if delayed

Turn on budget detection: DNS spikes, outbound beacons, unusual destinations

1) Why NVRs Get Owned (and Why It Keeps Happening)

Most NVR compromises follow a repeatable pattern: the device is reachable from the internet, firmware is outdated, and the network treats it like a trusted internal host. Once an attacker lands, they can drop a botnet payload, pivot into file shares, or exfiltrate footage.

Common exposure patterns

NVR web UI exposed to WAN (port-forwarding, public IP, or cloud relay)

UPnP enabled → automatic inbound mappings

Default/reused admin credentials; shared “installer” accounts

Flat network: NVR sits beside laptops, servers, POS

No centralized logging: compromise looks like “normal traffic”

2) Operationalize CISA KEV for Edge/IoT (Not Just Servers)

Many SMBs treat CISA KEV as an IT problem for Windows and servers. That’s the mistake. KEV additions should be “drop-everything” for edge/IoT too: NVRs, routers, VPN gateways, printers, NAS.

Minimum viable KEV workflow (SMB-friendly)

Triage (30 minutes): Do we have the product/model/version anywhere?

Decide (2 hours): Patch now, isolate now, or disable exposure now

Execute (48 hours): Implement the fix + capture evidence (exports/screenshots)

Close the loop: Validate externally (reachability) + internally (logs/alerts)

KEV mapping script (offline, no external links)

Keep a locally synced KEV file (JSON/CSV) inside your environment and compare it to your IoT inventory:

# kev_match.py import csv import json from pathlib import Path KEV_JSON = Path("kev_catalog.json") # locally synced copy ASSETS_CSV = Path("iot_inventory.csv") # your CMDB-lite export def norm(s: str) -> str: return (s or "").strip().lower() kev = json.loads(KEV_JSON.read_text(encoding="utf-8")) kev_rows = kev.get("vulnerabilities", kev) hits = [] with ASSETS_CSV.open(newline="", encoding="utf-8") as f: for row in csv.DictReader(f): product = norm(row.get("product") or row.get("vendor_model")) vendor = norm(row.get("vendor")) for k in kev_rows: if norm(k.get("product")) in product and norm(k.get("vendor")) in vendor: hits.append({ "asset_id": row.get("asset_id"), "hostname": row.get("hostname"), "product": row.get("product") or row.get("vendor_model"), "cveID": k.get("cveID") or k.get("cve"), }) print(f"KEV matches: {len(hits)}") for h in hits: print(f"- {h['asset_id']} {h['product']} => {h['cveID']}")

3) The 7 Powerful Fixes (48-Hour Hardening Sprint)

Use these steps for Digiever DS-2105 Pro CVE-2023-52163, then keep them as a repeatable playbook for any NVR vulnerability.

Fix 1 — Find Every NVR (Inventory + Discovery)

Start with “IoT CMDB lite”: devices, owners, location, firmware, access path, patch dates.

asset_id,hostname,ip,mac,vendor,product,firmware,location,owner,criticality,remote_access,notes,last_patch_date,kev_hit iot-001,nvr-frontdesk,10.30.10.10,AA:BB:CC:DD:EE:FF,Digiever,DS-2105 Pro,3.1.0.71-11,Front Desk,Facilities,High,None,"On VLAN 30",2025-12-01,yes

Discovery scan (authorized only):

nmap -sS -sV -Pn --open -p 22,23,80,443,554,8000,8080,8443,8899 10.30.0.0/16 -oA cctv_discovery

Fix 2 — Remove Inbound WAN Exposure (Port Forwards = Compromise)

Fastest risk reduction: delete port forwards, disable remote management, block inbound WAN to CCTV subnet.

Linux nftables (example pattern):

nft add table inet filter nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }' nft 'add rule inet filter input ct state established,related accept' nft 'add rule inet filter input iifname "lo" accept' nft 'add rule inet filter input ip saddr 10.10.0.0/16 accept' # Admin VPN

MikroTik (drop inbound to CCTV VLAN + remove NAT forwards):

/ip firewall filter add chain=input connection-state=established,related action=accept add chain=input src-address=10.10.0.0/16 action=accept comment="Admin VPN/jump subnet" add chain=input in-interface=WAN dst-address=10.30.0.0/16 action=drop comment="Block WAN to CCTV" /ip firewall nat # Remove any dst-nat rules that forward ports to 10.30.0.0/16

Ubiquiti EdgeOS (example):

configure delete service nat rule 100 # remove a port forward rule set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 50 action drop set firewall name WAN_LOCAL rule 50 destination address 10.30.0.0/16 commit; save; exit

Fix 3 — Disable UPnP (Stop Ports From Reopening)

UPnP is how routers silently expose NVR admin panels.

MikroTik:

/ip upnp set enabled=no

OpenWrt:

uci set upnpd.config.enabled='0' uci commit upnpd /etc/init.d/miniupnpd stop /etc/init.d/miniupnpd disable

Fix 4 — Isolate NVRs on a CCTV VLAN (Segmentation You Can Prove)

Dedicated VLAN prevents pivoting into business systems and creates clean audit evidence.

Cisco IOS (VLAN 30 example):

conf t vlan 30 name CCTV_NVR interface range gi1/0/10-12 switchport mode access switchport access vlan 30 spanning-tree portfast end wr mem

Default-deny egress (allow only what’s needed):

nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.30.0.53 udp dport 53 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.30.0.53 tcp dport 53 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 udp dport 123 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.20.5.25 tcp dport 443 accept # viewing station nft add rule inet filter forward ip saddr 10.30.0.0/16 oifname "WAN" drop

Fix 5 — Lock Down Admin Access (Accounts, MFA, Safe Remote Viewing)

Even after patching, assume attackers probe exposed admin paths.

Remove/rename default admin accounts; eliminate shared installer creds

Unique long passwords in a password manager

Admin UI only from admin VLAN/VPN (never WAN)

Remote viewing via VPN/jump host (no port forwarding)

Enable NTP/time sync for usable logs

Internal-only allowlist reverse proxy pattern:

server { listen 443 ssl; server_name nvr-admin.local; allow 10.10.0.0/16; # Admin VPN allow 192.168.50.0/24; # Jump host subnet deny all; location / { proxy_pass http://10.30.10.10; proxy_set_header Host $host; } }

Fix 6 — Patch Fast (KEV Emergency SLA) + Compensating Controls

For KEV-listed issues like CVE-2023-52163, use an emergency SLA (48 hours), even if normal IoT patching is monthly. If patching is blocked (EOL, vendor delay), apply compensating controls until replacement.

Patch SLA tracker:

# patch_sla.py import csv from datetime import datetime, timedelta EMERGENCY_DAYS = 2 MONTHLY_DAYS = 30 def parse(d): return datetime.strptime(d, "%Y-%m-%d") today = datetime.utcnow().date() with open("iot_inventory.csv", newline="", encoding="utf-8") as f: for r in csv.DictReader(f): last_patch = r.get("last_patch_date") or "1970-01-01" sla = EMERGENCY_DAYS if (r.get("kev_hit","").lower() == "yes") else MONTHLY_DAYS due = parse(last_patch).date() + timedelta(days=sla) if today > due: print(f"[OVERDUE] {r.get('asset_id')} {r.get('product')} due={due} owner={r.get('owner')}")

Virtual patch example (block risky path while patching):

location ~* /time_tzsetup\.cgi { return 403; }

Fix 7 — Detection on a Budget (Beacons, DNS Spikes, Unusual Destinations)

You don’t need a full SOC—just a few high-signal checks.

Minimum viable logging

Firewall logs for CCTV VLAN egress (at least denies)

DNS logs (queries from CCTV VLAN devices)

DHCP leases (MAC-to-IP history)

Syslog from NVR (auth/config changes/reboots), if supported

Suricata-style alert (example):

alert ip 10.30.0.0/16 any -> any ![53,80,123,443] (msg:"CCTV unusual egress port"; sid:1003001; rev:1;)

DNS spike watch:

# dns_spike_watch.py from collections import Counter import re LOG = "dns.log" CCTV_SUBNET_PREFIX = "10.30." pattern = re.compile(r"(\d+\.\d+\.\d+\.\d+)\s+query\s+(\S+)") counts = Counter() with open(LOG, encoding="utf-8", errors="ignore") as f: for line in f: m = pattern.search(line) if not m: continue ip, domain = m.group(1), m.group(2).lower().strip(".") if ip.startswith(CCTV_SUBNET_PREFIX): counts[(ip, domain)] += 1 for (ip, domain), n in counts.most_common(25): if n >= 50: print(f"[DNS SPIKE] {ip} -> {domain}: {n}")

4) Free Security tool Screenshots (Trust + Conversions)

Free Website Vulnerability Scanner tool by Pentest Testing Corp

Sample report from the tool to check Website Vulnerability

5) Compliance Angle: Turn Controls Into Audit Evidence

Even without formal certification, these artifacts help with customer questionnaires, cyber insurance, and incident response.

Evidence pack (copy/paste):

/evidence/iot-nvr-hardening/ 01_inventory/iot_inventory.csv 02_network/segmentation_diagram.png 03_firewall/cctv_vlan_rules_export.txt 04_patching/firmware_versions_before_after.csv 05_validation/external_port_scan_before_after.txt 06_monitoring/dns_spike_alerts_screenshots/ 07_change_control/change_record.yaml

Hash manifest:

find evidence -type f -print0 | xargs -0 sha256sum > evidence_hashes.sha256

6) When to Bring Experts (and What to Scope)

Bring in a scoped assessment when:

You can’t confidently remove WAN exposure

Segmentation is messy / breaks operations

You suspect compromise already

You need audit-grade validation

Practical scope: validate remote-access paths, test segmentation boundaries, review firewall rules, and simulate pivot attempts from CCTV VLAN into business systems.

Where Pentest Testing Corp Helps (Internal Links Only)

If you need an audit-friendly plan to reduce IoT and network risk, start at:

https://www.pentesttesting.com/

For formal gap mapping and prioritization:

Risk Assessment Services: https://www.pentesttesting.com/risk-assessment-services/

Remediation Services: https://www.pentesttesting.com/remediation-services/

Relevant testing services for edge/IoT exposure:

Internal Network Penetration Testing: https://www.pentesttesting.com/internal-network-pentest-testing/

External Network Penetration Testing: https://www.pentesttesting.com/external-network-pentest-testing/

Managed IT Services: https://www.pentesttesting.com/managed-it-services/

Related reading (recent):

https://www.pentesttesting.com/misconfigured-edge-devices-hardening-sprint/

https://www.pentesttesting.com/cisa-kev-remediation-sprint-in-30-days/

https://www.pentesttesting.com/sierra-wireless-airlink-aleos-vulnerability/

TL;DR

Regulatory Surge 2025 is real: DORA in force, NIS2 maturing, and stricter disclosure & third-party rules. Treat DORA compliance cybersecurity 2025 as a business mandate—board-level risk, not a checkbox. Below you’ll get implementation-ready code (Python, Bash, YAML, SQL, Rego) to stand up asset inventory, vendor oversight, rapid incident reporting, and remediation proof. Bookmark this and ship one step per day this week.

Context: What changed in 2025?

DORA is applicable from Jan 17, 2025 across the EU financial sector (and ICT providers in scope).

NIS2 is now in national laws across the EU; enforcement continues tightening through 2025–2026.

Expect shorter incident timelines, stricter third-party governance, and evidence-heavy audits.

Bottom line: “DORA compliance cybersecurity 2025” means operational resilience must be designed, measured, and provable.

Implications for leaders (Boards, Risk, CISOs)

Third-party & supply-chain governance: document who runs critical ICT, SLAs, exit plans, and resilience of providers.

Incident handling: classify & report “major ICT incidents” rapidly; keep audit-ready evidence.

Disclosure & transparency: be ready to brief regulators and customers with facts, timelines, and mitigations.

Continuous assurance: tabletop exercises, failure drills, recovery metrics, and ongoing remediation tracking.

The 7 Powerful Steps (actionable)

Complete Asset & Service Inventory Map every business service → systems → data → vendors. Tag criticality, owner, RTO/RPO, and regulator relevance.

Tighten Third-Party Oversight Maintain a registry of providers, DPAs, certifications (ISO 27001/SOC 2), breach history, country of operation, and failover plans.

Incident Simulation & Reporting Classify “major” vs “minor”; pre-write JSON forms for initial/updated/final notices; run quarterly table-tops.

Resilience Engineering Backups, immutability, restore drills, dependency mapping, and blast-radius controls.

Secure Build & Deploy SAST/SCA/secret scanning in CI; artifact signing; SBOM gates; drift detection in infra.

Evidence-First Remediation Every fix should produce logs, screenshots, CLI outputs, and PR links—attach them to your ticketing system.

Outside-In Verification Run an external snapshot after every change window. Quick win: scan your public footprint and capture a before/after report.

Free Website Vulnerability Scanner Homepage scan form

Screenshot of the free tools webpage where you can access security assessment tools.

Implementation Snippets (copy-ready)

1) Asset Inventory: tag coverage & gaps (Python)

# inventory_merge.py # Goal: single CSV of assets with owner, criticality, data class, and vendor import csv, json, pathlib fields = ["asset_id","name","owner","criticality","data_class","env","vendor","region"] rows = [] for p in pathlib.Path("./feeds").glob("*.json"): data = json.loads(p.read_text()) for a in data.get("assets", []): rows.append({f: a.get(f, "") for f in fields}) with open("inventory_master.csv","w",newline="") as f: w = csv.DictWriter(f, fieldnames=fields) w.writeheader(); w.writerows(rows) print("Wrote inventory_master.csv")

2) Find “orphaned” assets (SQL)

-- Assets missing owner or criticality SELECT asset_id, name, env FROM cmdb_assets WHERE (owner IS NULL OR owner = '') OR (criticality IS NULL OR criticality = '');

3) Vendor policy as code (OPA/Rego)

package vendor.governance default allow = false allow { input.critical == "high" input.soc2 in ["Type I","Type II"] input.iso27001 == true input.breach_history.count <= 0 input.exit_plan_documented == true }

4) Incident: initial report template (JSON)

{ "classification": "major-ict-incident", "discovered_at": "2025-10-19T10:15:00Z", "summary": "Payment API outage due to DB failover error", "impact": { "services": ["payments"], "users_affected": 42000, "regions": ["EU"] }, "containment": "Failover reverted; read replica isolated", "indicators": ["db timeouts", "replica lag > 60s"], "regulators_notified": ["<YOUR COMPETENT AUTHORITY>"], "next_update_due": "2025-10-19T12:15:00Z" }

5) Compute your internal reporting deadline (Python)

from datetime import datetime, timedelta, timezone def next_update(now_iso: str, cadence_hours=2): now = datetime.fromisoformat(now_iso.replace("Z","+00:00")) return (now + timedelta(hours=cadence_hours)).astimezone(timezone.utc).isoformat().replace("+00:00","Z") print(next_update("2025-10-19T10:15:00Z")) # => 2-hour auto reminder

6) CI pipeline (GitHub Actions) for SAST/SCA + SBOM gate (YAML)

name: secure-build on: [push, pull_request] jobs: build-and-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build run: | pip install -r requirements.txt python -m compileall . - name: SAST run: pip install bandit && bandit -r . -f json -o bandit.json || true - name: SCA & SBOM run: pip install pip-audit && pip-audit -f json -o sca.json || true - name: SBOM Gate (fail on critical vulns) run: python scripts/sbom_gate.py sca.json --max-severity=high

7) SBOM gate script (Python)

# scripts/sbom_gate.py import sys, json severity_order = {"low":1,"moderate":2,"medium":2,"high":3,"critical":4} sca = json.load(open(sys.argv[1])) threshold = severity_order[sys.argv[3].split("=")[1]] for v in sca.get("vulnerabilities", []): sev = severity_order.get(v.get("severity","low"),1) if sev >= threshold: print(f"Blocking: {v['id']} {v['severity']} {v['fix_version']}") sys.exit(1) print("SBOM gate passed")

8) Windows evidence capture for an incident (PowerShell)

# Collect logs + config for audit evidence $ts = Get-Date -Format "yyyyMMdd-HHmm" New-Item -ItemType Directory -Path "C:\evidence\$ts" -Force | Out-Null wevtutil epl System "C:\evidence\$ts\system.evtx" wevtutil epl Application "C:\evidence\$ts\application.evtx" ipconfig /all > "C:\evidence\$ts\net.txt" Get-WindowsFeature | Where Installed > "C:\evidence\$ts\features.txt"

9) Quick outside-in snapshot after change (Bash)

# Replace with your domain; captures headers and key risks for evidence DOMAIN="example.com" curl -s -I https://$DOMAIN | tee headers.txt # Tip: also run your external scanner and store the PDF/HTML report with the CAB number

10) Use our free external scan in change windows

# Run an outside-in check (manual step) and attach the report to the change ticket

# Free tool (browser): https://free.pentesttesting.com/

# Evidence: Save "before" and "after" screenshots + generated report

Sample Report to check Website Vulnerability — “Summary chart + top findings”

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Forward-looking: Beyond checkbox compliance

Compliance isn’t the finish line. The winners treat DORA compliance cybersecurity 2025 as a forcing function to build transparent, testable resilience. That means: codified policies, repeatable drills, and evidence that stands up to scrutiny—from auditors and customers.

Where to go next (internal resources)

Read more on our Blog. Recent favourites: • CVE-2025-41244 VMware Remediation: 7-Step Rapid Playbook (evidence-first fixes) • 7 Proven Continuous Threat Exposure Management Tactics (continuous assurance) • Windows 10 End of Support 2025: Remediation Plan (exec-ready rollout)

Level-up with our Risk Assessment Services (HIPAA, PCI DSS, SOC 2, ISO 27001, GDPR)

Close gaps fast with Remediation Services

Quick win today: run an outside-in scan via free.pentesttesting.com and attach the report to your CAB ticket.

Conclusion

TL;DR — The F5 breach source code theft underscores that even security vendors can become software supply-chain risks. Below are 7 practical, code-level controls you can roll out right now: repository segmentation, least-privileged access, secret & provenance checks, source-integrity verification, and continuous monitoring — plus how to audit your vendors today.

[Read More ↴]

What’s known (high level)

Public reports indicate attackers gained access to F5’s internal systems and exfiltrated source code artifacts. As with similar incidents, the likely playbook includes credential compromise, lateral movement to developer infrastructure, and stealthy data staging before exfiltration. The big takeaway: source code theft triggers supply-chain risk (downstream trust, investor questions, incident classification shifts) even when customer-facing products aren’t immediately impacted.

Vendor / third-party risk: 7 battle-tested lessons

1) Segment repositories by blast radius

Goal: If a vendor (or your support account) is compromised, avoid “all-repo” exposure.

Terraform (GitHub provider) — disable forking, require signed commits, secret scanning, and Dependabot alerts per repo:

# terraform { # required_providers { github = { source = "integrations/github", version = "~> 6.0" } } # } provider "github" { owner = "your-org" } resource "github_repository" "payments_core" { name = "payments-core" allow_merge_commit = false allow_squash_merge = true allow_rebase_merge = false delete_branch_on_merge = true vulnerability_alerts = true has_issues = true has_projects = false has_wiki = false allow_auto_merge = true allow_update_branch = true web_commit_signoff_required = true # require signed commits visibility = "private" allow_forking = false }

Try this quick check (free)

Run a light scan of your public footprint and attach the results to your risk record:

Free Website Vulnerability Scanner →

Screenshot of the free tools webpage where you can access security assessment tools.

2) Enforce least-privileged vendor access (time-boxed + IP-restricted)

Python (PyGithub): find outside collaborators with overly broad permissions and auto-downgrade to “triage”.

# pip install PyGithub from github import Github import os, datetime g = Github(os.getenv("GITHUB_TOKEN")) org = g.get_organization("your-org") for repo in org.get_repos(): for collab in repo.get_collaborators(): perm = repo.get_collaborator_permission(collab) if collab.type == "User" and collab.login.endswith("-vendor"): # time-box vendor access: remove if older than 14 days inv = repo.get_issues(labels=["vendor-access", collab.login]) granted_at = None for i in inv: if "granted_at:" in i.body: granted_at = i.body.split("granted_at:")[1].strip() break # Fallback: enforce least privilege if perm in ("admin","maintain","write"): repo.remove_from_collaborators(collab) repo.add_to_collaborators(collab, permission="triage") print(f"Downgraded {collab.login} on {repo.name} -> triage")

Tip: Put vendor users in a separate SSO group with IP allow-listing and session duration limits.

3) Put code escrow & build integrity in contracts

Require escrow of clean, validated source plus build scripts.

Stipulate provenance attestations (SLSA-style) for critical releases.

Demand SBOMs (CycloneDX) and change-control on third-party libraries.

Node (package release gate) — verify provenance + SBOM exists before publish:

// package.json (scripts block) { "scripts": { "prepublishOnly": "node scripts/verify-provenance.js && node scripts/check-sbom.js" } } // scripts/check-sbom.js const fs = require('fs'); if (!fs.existsSync('sbom.cdx.json')) { console.error('SBOM missing (CycloneDX required).'); process.exit(1); } console.log('SBOM present.');

4) Monitor repos for anomalous exfil

Sigma (generic SIEM): detect large Git over SSH egress to public hosts

title: Suspicious Large Git Egress logsource: product: network service: proxy detection: selection: destination_port: 22 destination_domain|endswith: - github.com - gitlab.com condition: selection and bytes_out > 500000000 # >500MB level: high

KQL (Sentinel): burst cloning from CI workers

CommonSecurityLog | where DestinationPort == "22" | where DestinationHostName has_any ("github.com","gitlab.com") | summarize total_out = sum(ReceivedBytes), conns = count() by SourceIP, bin(TimeGenerated, 1h) | where total_out > 5e8 or conns > 50

5) Block secrets & sensitive blobs at the pre-receive gate

Git server hook (bash): reject pushes that contain *.pem, .env, or >50MB packfiles.

#!/usr/bin/env bash # .git/hooks/pre-receive (server-side) set -euo pipefail tmp=$(mktemp) while read old new ref; do git diff --name-only $old $new >> "$tmp" done if egrep -i '\.pem$|\.env$|id_rsa|\.pfx$' "$tmp"; then echo "Push rejected: sensitive file pattern detected." >&2 exit 1 fi size=$(git pack-objects --revs --stdout < "$tmp" | wc -c) if [ "$size" -gt 52428800 ]; then echo "Push rejected: pack too large (>50MB). Use LFS or split." >&2 exit 1 fi

GitHub Actions (Gitleaks) on PRs:

name: secrets-scan on: [pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: gitleaks/gitleaks-action@v2 with: {args: "--redact --report-path gitleaks.json"}

6) Verify source integrity continuously (SBOM + hashes)

Python: compare today’s built artifact dependencies to yesterday’s SBOM; fail on unexpected drift.

import json, sys, hashlib def load_deps(sbom_file): deps = {} with open(sbom_file) as f: data = json.load(f) for comp in data.get("components", []): purl = comp.get("purl") hashv = "" for h in comp.get("hashes", []): if h.get("alg") in ("SHA-256","SHA256"): hashv = h.get("content") if purl: deps[purl] = hashv return deps prev = load_deps("sbom.prev.cdx.json") curr = load_deps("sbom.cdx.json") drift = [p for p in curr if p not in prev or prev[p] != curr[p]] if drift: print("Dependency drift detected:", *drift, sep="\n - ") sys.exit(1) print("SBOM check OK")

7) Disclosure & transparency plan

Treat public code theft as a distinct scenario in your IR plan.

Pre-draft regulatory + investor language when source is involved.

Maintain a customer-facing change log for security-relevant fixes.

Capture evidence (tickets, diffs, scans) to prove due diligence.

Bash: build an “evidence bundle” zip from your pipeline:

mkdir -p evidence && \ cp out/build_manifest.json evidence/ && \ cp gitleaks.json evidence/ || true && \ git log -n 50 --pretty='%h|%an|%ar|%s' > evidence/gitlog.txt && \ zip -r evidence_bundle.zip evidence echo "Attach evidence_bundle.zip to the incident record."

Sample report from the tool

Use this to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

What to do now (30-day checklist)

Week 1

Inventory which vendors can access your code or CI.

Remove standing admin; time-box with approvals.

Enable org-wide secret scanning & signed commits.

Week 2 4. Split high-value repos; disable forking & limit CI tokens by repo. 5. Add pre-receive checks and Gitleaks on PRs.

Week 3 6. Require SBOMs and provenance attestations for vendor builds. 7. Stand up egress anomaly detections for Git protocols.

Week 4 8. Run a control audit of vendor code paths. 9. Implement a disclosure playbook for code-theft scenarios. 10. Schedule a re-validation (scan + evidence bundle) and set it to run monthly.

Real-world snippets you can copy-paste today

Rotate GitHub tokens older than 90 days (gh CLI):

for u in $(gh api /orgs/your-org/members | jq -r '.[].login'); do echo "Check PATs for $u"; gh auth refresh -s write:org -h github.com || true done

OPA/Rego (IaC gate): disallow public runners on sensitive repos

package cicd.policy default allow = false allow { input.repo.sensitivity == "low" } deny[msg] { input.repo.sensitivity == "high" input.runner.public == true msg := "Public runners not allowed for high-sensitivity repos" }

GitHub Actions: block if provenance/signature missing

name: verify-provenance on: [workflow_run] jobs: verify: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: | test -f sbom.cdx.json || (echo "SBOM missing"; exit 1) cosign verify-blob --key cosign.pub dist/app.tar.gz

Internal links you should include

Blog index: https://www.pentesttesting.com/blog/

Risk Assessment Services (HIPAA/PCI/SOC2/ISO/GDPR): https://www.pentesttesting.com/risk-assessment-services/

Remediation Services (close gaps fast): https://www.pentesttesting.com/remediation-services/

Free Website Vulnerability Scanner: https://free.pentesttesting.com/

Further reading from our blog (add these inline where relevant):

7 Proven Continuous Threat Exposure Management Tactics (Oct 16, 2025) — practical CTEM controls.

CISA KEV Contextual Risk Prioritization Done Right (Oct 14, 2025).

Windows 10 End of Support 2025: Remediation Plan (Oct 12, 2025).

Android Security Bulletin October 2025: Fleet Triage (Oct 9, 2025).

PCI DSS 4.0: Your Post-March 31 Remediation Plan (Sept 18, 2025).

How we can help (shamelessly useful)

Run a vendor code-access audit mapped to OWASP ASVS and your compliance needs (HIPAA, PCI DSS 4.0, SOC 2, ISO 27001, GDPR).

Deliver a control-mapping matrix + evidence bundle and a prioritized remediation plan.

Include a free 30-day retest after fixes.

👉 Start here: Risk Assessment Services and Remediation Services.

TL;DR: CISA just added CVE-2025-10585 (a V8 type-confusion bug in Chromium) to the KEV catalog. The fix landed in Chrome 140.0.7339.185+ and later patch trains. If you ship Electron apps (which bundle Chromium), treat this as a ship-stopping risk: rebase to a build that includes the fix, hard-block outdated engines at runtime, and force auto-updates.

1) What KEV means + the new CVE-2025-10585 entry

KEV (Known Exploited Vulnerabilities) is CISA’s “actively exploited” list. When a CVE is added, patching isn’t optional—it’s urgent.

On Sept 23, 2025, CVE-2025-10585 (V8 type-confusion) hit KEV. The Chrome team shipped the fix in 140.0.7339.185/.186 and continued patching in 140.0.7339.207/.208.

Translation: any embedded Chromium below 140.0.7339.185 remains exposed to CVE-2025-10585.

Why it’s dangerous: Type-confusion bugs in V8 often enable remote code execution via crafted pages or embedded content—exactly the kind Electron apps render in BrowserWindows.

2) Why Electron teams must act now

Many desktop apps (Slack-style, IDEs, internal tools) bundle Chromium via Electron. Until Electron consumes a Chromium build ≥140.0.7339.185, your shipped app is behind the browser on security. Follow Electron’s upgrade guidance ASAP and do not ship new builds with an affected engine.

Action items for Electron maintainers:

Rebase to a fixed Electron/Chromium train as soon as it’s available.

Harden now (see code below): enforce auto-update, runtime engine checks, strict BrowserWindow defaults (nodeIntegration: false, contextIsolation: true), and Content Security Policy.

Operationally: invalidate old installers, block outdated app versions at startup, and add CI gates that fail if your engine is below the fixed build.

Free Website Vulnerability Scanner — Homepage

Screenshot of the free tools webpage where you can access security assessment tools.

3) Rollout plan checklist (practical + code)

A. Force auto-updates (electron-updater)

# install npm i -S electron-updater

// main.ts import { app, dialog } from 'electron' import { autoUpdater } from 'electron-updater' app.whenReady().then(() => { autoUpdater.autoDownload = true autoUpdater.autoInstallOnAppQuit = true autoUpdater.on('update-available', () => console.log('Update available…')) autoUpdater.on('update-downloaded', () => { dialog.showMessageBox({ type: 'info', buttons: ['Restart now'], title: 'Security update ready', message: 'A critical security update (fixes CVE-2025-10585) is ready.' }).then(() => autoUpdater.quitAndInstall()) }) autoUpdater.checkForUpdates().catch(console.error) })

Add to package.json (example) for publishing:

{ "build": { "publish": [{ "provider": "github" }], "win": { "target": "nsis" }, "mac": { "category": "public.app-category.developer-tools" } } }

B. Invalidate old installers (server-side 410)

Nginx snippet (example) to make old installers un-downloadable:

location ~* /downloads/myapp-([0-9]+\.[0-9]+\.[0-9]+)\.(exe|dmg|AppImage)$ { if ($1 ~* "^(0|1|2|3[0-9]\.|[0-9]{1,2}\.)") { # toy example, adapt your semver return 410; # Gone } try_files $uri =404; }

C. Runtime hard-block outdated Chromium

Detect the embedded Chromium at runtime and exit if below 140.0.7339.185 (the minimum fixed build for CVE-2025-10585).

// versionGate.ts import { app, dialog } from 'electron' function parse(build: string) { return build.split('.').map(n => parseInt(n, 10)) } function gte(a: string, b: string) { const A = parse(a), B = parse(b) for (let i = 0; i < Math.max(A.length, B.length); i++) { const x = A[i] || 0, y = B[i] || 0 if (x > y) return true if (x < y) return false } return true } export function enforceChromiumMin(min = '140.0.7339.185') { const chrome = process.versions.chrome // e.g., "140.0.7339.133" if (!chrome || !gte(chrome, min)) { dialog.showErrorBox( 'Update required', `This build bundles Chromium ${chrome || 'unknown'}, below ${min} (CVE-2025-10585). Please update.` ) app.quit() } }

// main.ts import { app, BrowserWindow } from 'electron' import { enforceChromiumMin } from './versionGate' app.whenReady().then(() => { enforceChromiumMin('140.0.7339.185') const win = new BrowserWindow({ webPreferences: { contextIsolation: true, nodeIntegration: false, sandbox: true } }) win.loadURL('https://app.example.local/') })

D. Lock down renderers (defense-in-depth)

// preload.ts import { contextBridge } from 'electron' contextBridge.exposeInMainWorld('api', { // expose only the minimal surface })

<!-- index.html --> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; connect-src https://api.example.com;">

E. Block old app versions at launch (server-signaled “kill switch”)

// killSwitch.ts import https from 'https' export async function mustUpgrade(current: string): Promise<boolean> { // Your backend returns { minVersion: "1.24.3" } const data = await fetchJSON('https://updates.example.com/min.json') return !semverGte(current, data.minVersion) } function semverGte(a: string, b: string) { const pa = a.split('.').map(Number), pb = b.split('.').map(Number) for (let i = 0; i < 3; i++) { if (pa[i] !== pb[i]) return pa[i] > pb[i] } return true } function fetchJSON(url: string) { return new Promise<any>((resolve, reject) => { https.get(url, res => { const chunks: Buffer[] = [] res.on('data', c => chunks.push(c)) res.on('end', () => resolve(JSON.parse(Buffer.concat(chunks).toString('utf8')))) }).on('error', reject) }) }

4) Verification: prove your engine is fixed (≥ 140.0.7339.185)

A. CI gate that fails if Chromium < fixed build

# .github/workflows/engine-guard.yml name: engine-guard on: [push, pull_request] jobs: guard: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: { node-version: 22 } - run: npm ci - run: node -e "const v=require('child_process').execSync('node -p process.versions.chrome').toString().trim(); function p(s){return s.split('.').map(Number)}; const a=p(v), b=p('140.0.7339.185'); let ok=true; for(let i=0;i<4;i++){ if((a[i]||0)>(b[i]||0)){ok=true;break} if((a[i]||0)<(b[i]||0)){ok=false;break}} if(!ok){console.error('Chromium '+v+' < 140.0.7339.185 (CVE-2025-10585)'); process.exit(1)} else {console.log('OK Chromium '+v)}"

Tip: this works in Electron CI if you run scripts with Electron’s Node (e.g., electron -e or process.versions.chrome surfaced via a tiny Node script in your repo). If you build on CI, you can also parse the Electron release metadata your build uses.

B. SCA “diff” to confirm you hopped trains

Simple check to assert your Electron bump actually advanced Chromium:

# scripts/verify-chromium.sh set -euo pipefail CURRENT=$(node -p "process.versions.chrome||''") REQUIRED="140.0.7339.185" node - <<'JS' function gte(a,b){a=a.split('.').map(Number);b=b.split('.').map(Number);for(let i=0;i<4;i++){if((a[i]||0)>(b[i]||0))return true;if((a[i]||0)<(b[i]||0))return false}return true} const cur=process.env.CURRENT, req=process.env.REQUIRED if(!cur) { console.error('No embedded Chromium detected'); process.exit(2) } if(!gte(cur, req)) { console.error(`FAIL: Chromium ${cur} < ${req} (CVE-2025-10585)`); process.exit(1) } console.log(`PASS: Chromium ${cur} >= ${req}`) JS

Run it post-build; fail the pipeline if not on a fixed engine.

5) Extra hardening (because defense-in-depth)

Disable Node in renderers (nodeIntegration: false), enable isolation (contextIsolation: true), use sandbox: true.

Only load trusted content (file:// or your own HTTPS origin).

CSP everywhere.

Protocol filters: validate custom:// and file:// handlers.

Update cadence: align your Electron train with Chromium’s stable channel. Don’t lag multiple minors behind—especially with KEV-listed bugs like CVE-2025-10585.

Sample Scan Report — Check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Helpful follow-ups from our blog (internal reading)

Android Security Bulletin September 2025: Patch Fleet Now — triage & rollout tactics you can reuse for desktop engines.

CISA KEV Adds CVE-2025-5086: What You Must Do — our quick KEV playbook for leadership.

PCI DSS 4.0: Your Post-March 31 Remediation Plan — compliance-friendly change control for high-velocity patching.

Need help closing gaps fast?

Risk Assessment Services — map CVE-2025-10585 exposure across products and pipelines: 👉 https://www.pentesttesting.com/risk-assessment-services/

Remediation Services — from upgrade plans to hardening and CI gates: 👉 https://www.pentesttesting.com/remediation-services/

Free Website Vulnerability Scanner — quick external checks before every release: 👉 https://free.pentesttesting.com/

Pentest Testing Corp. (home) — who we are & how we work: 👉 https://www.pentesttesting.com/

Questions? [email protected]

Final checklist for your release notes

Mention CVE-2025-10585 explicitly.

State the Chromium build you ship (e.g., Chromium 140.0.7339.208).

Add the runtime gate + auto-update notes.

TL;DR — your first 60 minutes

Reset MySonicWall credentials org-wide and enforce MFA.

Rotate firewall-stored secrets (admin passwords, VPN PSKs, API tokens, directory binds).

Audit objects, NAT, ACLs, and VPN rules; remove stale accounts.

Restrict SSLVPN/“Virtual Office” by source IP or disable if not needed.

Establish a clean baseline config and start change tracking.

What happened (and why config leaks matter)

Attackers obtained access to some cloud-stored firewall configuration backups linked to customer accounts. Even if credentials inside are encrypted, these files often reveal topology, address objects, NAT flows, and VPN peers—a reconnaissance goldmine that helps adversaries target your perimeter and identity infrastructure faster.

Immediate actions (do these today)

Reset MySonicWall credentials & enforce MFA Ensure unique, strong passwords for all admins; require MFA for cloud and device logins.

Rotate every secret referenced in configs

Admin passwords and local user creds

IPSec/IKE preshared keys and SSLVPN secrets

LDAP/RADIUS/TACACS binds, SNMP communities

API tokens used by orchestration/monitoring tools

Prune and tighten configuration

Remove unused address objects, groups, service objects, and stale admin accounts.

Review NAT and ACL rules for over-permissive entries.

Validate VPN peers, subnets, and split-tunnel scopes.

Export and sign a known-good baseline; enable change logging.

Reduce SSLVPN/Virtual Office attack surface

Allow-list trusted source IPs and countries where practical.

Require MFA for all remote access.

Disable web login for accounts that don’t need it; disable SSLVPN temporarily while rotating secrets if risk is high.

Hardening against follow-on ransomware (next 24–72 hours)

Patch firewalls, SMA/SSLVPN, and related edge components promptly.

Enforce MFA across admin portals, VPN, and any SSO path; remove shared or dormant accounts.

Segment: ensure VPN user networks can’t directly reach management or backup networks.

Monitor edge auth for anomalies: failed bursts, new geos, off-hours logins, rapid config changes.

Backups & recovery: verify offline, immutable backups of critical infra; test rapid restore for domain controllers and file servers.

Validate the fix (prove you’re safe)

External exposure scan: confirm what the internet sees after changes (portals, versions, banners).

Config drift checks: compare today’s baseline vs. yesterday’s; alert on object/rule/VPN changes.

Targeted attack simulations: rehearse credential-stuffing against VPN, lateral movement from a “VPN user” start, and rapid-encrypt attempts to validate EDR and response.

Helpful screenshots

Screenshot of your Free Website Vulnerability Scanner

Run a quick external snapshot while secrets are rotating—catch obvious web exposures before re-opening remote access.”

Sample report by the tool to check Website Vulnerability

Example findings to remediate before re-exposing services: weak headers, leaked files, and outdated components.

Implementation checklist (copy/paste to your ticketing system)

Accounts & auth

Reset all MySonicWall passwords; MFA enforced

Rotate admin creds on every firewall

Rotate IPSec/IKE PSKs, SSLVPN secrets, directory binds, SNMP, API tokens

Config hygiene

Export & sign a known-good baseline

Remove stale objects/users/groups

Tighten NAT/ACL rules to least privilege

Restrict SSLVPN/Virtual Office by source IP; disable if unused

Patching & monitoring

Apply latest firmware/patches to firewalls and SMA/SSLVPN

Alert on abnormal VPN logins, geo anomalies, and after-hours config changes

Add EDR rules/playbooks for edge-borne ransomware TTPs

Validation

External scan of portals/services

Drift detection enabled and reviewed

Attack simulations executed with documented results

Related Resources

Build a risk-prioritized mitigation plan → Risk Assessment Services

Need hands-on fixes and evidence? → Remediation Services

Keep learning with our latest guides → Pentest Testing Blog

Quick exposure snapshot → Free Website Vulnerability Scanner

Partner site for more security reads → CyberSrely

Why this matters (and where to start)

Windows 10 is nearing the end of support, so every week counts. This fast, repeatable plan helps you find every device, rank risk, harden immediately, and migrate with confidence. For deeper reading, see our blog: https://www.pentesttesting.com/blog/

Days 1–7: Inventory every Windows 10 device

Grab make/model, OS build, RAM/TPM, encryption, last boot, and installed apps.

PowerShell — export an environment snapshot

Get-CimInstance Win32_OperatingSystem,Win32_ComputerSystem | Select-Object CSName, @{n="OS";e={$_.Caption}}, @{n="Build";e={$_.BuildNumber}}, @{n="RAMGB";e={[math]::Round($_.TotalVisibleMemorySize/1MB,1)}} | Export-Csv .\win10_inventory.csv -NoTypeInformation

Apps per host (quick view)

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName, DisplayVersion, Publisher | Sort DisplayName

Days 8–14: Prioritize & harden

Score risk: internet-facing, privileged users, missing patches, sensitive data.

Showcase your quick wins: Screenshot of our free Website Vulnerability Scanner UI

Screenshot of the free tools webpage where you can access security assessment tools.

Defender + attack surface rules (pragmatic defaults)

Add-MpPreference -AttackSurfaceReductionRules_Actions Enabled ` -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A, 3B576869-A4EC-4529-8536-B80A7769E899 Update-MpSignature; Start-MpScan -ScanType QuickScan

Firewall sanity (block inbound except needed)

netsh advfirewall set allprofiles state on netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389

Days 15–21: App & data readiness

Map what can upgrade in-place vs. needs rebuild. Tag blockers (drivers, legacy apps).

Simple readiness tagging from your CSV

import csv rows=[] with open('win10_inventory.csv') as f: for r in csv.DictReader(f): r['Ready']= 'Yes' if int(r['RAMGB'])>=8 else 'No' rows.append(r) [ (r['CSName'], r['Ready']) for r in rows ]

BitLocker check (must not lose keys)

(Get-BitLockerVolume -MountPoint C).ProtectionStatus

Days 22–30: Migrate with confidence

Use in-place upgrade for “Ready=Yes”; reimage the rest with a hardened baseline.

Kick an in-place upgrade (silent/rollback)

Start-Process ".\setup.exe" -ArgumentList "/auto upgrade /quiet /compat IgnoreWarning /dynamicupdate enable /telemetry disable" -Wait

Validate with a second pass: Sample Assessment Report by our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Keep scanning while you move

Run an external scan with our free Website Security Checker to catch exposed panels, weak TLS, and headers while endpoints shift: https://free.pentesttesting.com/ Stay updated: Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713

Services you can tap next

Managed IT Services: lifecycle patching, backup, endpoint baselines https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity: secure AI apps & pipelines https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients: white-label delivery https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Compliance & Risk (HIPAA, PCI DSS, SOC 2, ISO 27001, GDPR): Risk: https://www.pentesttesting.com/risk-assessment-services/ Remediation: https://www.pentesttesting.com/remediation-services/

Quick checklist

Inventory exported and owners assigned

Top 10 risks fixed (ASR, firewall, admin pruning)

Readiness tagged; backups tested

Pilot upgrade done; rollback path verified

Second scan clean; docs filed for audit

Why this matters

On October 14, 2025, Windows 10 reaches the end of support: no more security or feature updates, and no Microsoft tech support. Your PC will still run, but the risk rises unless you upgrade or enroll in ESU.

What actually stops?

Security & feature updates + Microsoft support stop for Windows 10.

Extended Security Updates (ESU) can keep critical/important patches flowing after EOS (no features/support). Options include free enrollment via Windows Backup or Microsoft Rewards, or $30 USD for individuals; commercial ESU starts at $61/device (year 1).

Microsoft 365 Apps: will continue receiving security updates on Windows 10 through Oct 10, 2028 (feature updates through Aug 2026), easing migration.

Microsoft Defender Antivirus will keep getting Security Intelligence updates through 2028 on Windows 10.

Quick checks (with code)

1) Inventory Windows 10 and flag pre-22H2 devices (PowerShell)

$os = Get-CimInstance Win32_OperatingSystem $ver = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion [pscustomobject]@{ PC = $env:COMPUTERNAME; Caption = $os.Caption; Version = $os.Version Build = $os.BuildNumber; DisplayVersion = $ver } | Export-Csv .\win10_inventory.csv -NoTypeInformation if ($os.Caption -like "*Windows 10*" -and $ver -ne "22H2") { Write-Warning "Upgrade to Windows 10 22H2 before ESU." }

(Why? ESU enrollment targets supported builds; 22H2 is the final Windows 10 release.)

Screenshot of our Website Vulnerability Scanner homepage.

Screenshot of the free tools webpage where you can access security assessment tools.

2) Find Windows 10 endpoints in Microsoft Defender (KQL)

DeviceInfo | where OSVersion startswith "10.0" | project DeviceName, OSVersion, DeviceId

Run in Advanced Hunting to list Windows 10 devices needing action.

3) Check Windows 11 readiness signals (PowerShell)

$tpm = Get-CimInstance -ClassName Win32_Tpm -ErrorAction SilentlyContinue "TPM Present: " + [bool]$tpm try { "Secure Boot: " + (Confirm-SecureBootUEFI) } catch { "Secure Boot: Not supported/disabled" }

Helpful to scope upgrades vs. ESU bridging.

Sample Report by our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Free Endpoint Risk Check

Need a Windows 10 → 11 migration or endpoint audit? Book a consult via our Managed IT Services.

Migration paths

Upgrade to Windows 11 for security-by-default and ongoing support.

Bridge with ESU (limited-time) to buy planning time; remember this does not add features or support.

Services to make this painless

Managed IT Services → https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity → https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients (partner program) → https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Learn more & subscribe

Deep dives on our blog: https://www.pentesttesting.com/blog/

React itself doesn’t parse XML entities, but many React apps send XML to backends (file uploads, SVG, SOAP/SSO, legacy feeds). If the server (or a client-side helper) parses XML with external entities enabled, an attacker can read local files or make SSRF calls—classic XXE (XML External Entity) Injection.

Explore more AppSec posts on our blog: https://www.pentesttesting.com/blog/

Quick Attack Demo (Malicious XML)

<?xml version="1.0"?> <!DOCTYPE data [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <data>&xxe;</data>

If your parser expands entities, the response may leak sensitive files.

Typical React Flow (Don’t Rely on Client-Side Filtering)

// React: upload XML and send to API function XmlUploader() { const onChange = async (e) => { const xml = await e.target.files[0].text(); await fetch("/api/upload-xml", { method: "POST", headers: { "Content-Type": "application/xml" }, body: xml }); }; return <input type="file" accept=".xml" onChange={onChange} />; }

This is convenient—but security lives on the server. Client checks are bypassable.

Insecure vs. Safer Parsing (Node.js)

Insecure (illustrative): using a parser that resolves DTD/entities by default.

// BAD: expands external entities (example only) const xml = req.body; // raw XML const doc = unsafeXmlParse(xml); // expands &xxe - > file/URL fetch

Safer: prefer a parser that does not support DTD/XXE (e.g., fast-xml-parser) and validate input.

import { XMLParser } from "fast-xml-parser"; app.post("/api/upload-xml", express.text({ type: "application/xml", limit: "200kb" }), (req, res) => { const xml = req.body; // Reject if XML declares DTD or entities if (/<!DOCTYPE|<!ENTITY/i.test(xml)) return res.status(400).send("DTD not allowed"); const parser = new XMLParser({ ignoreAttributes: false, processEntities: false, // keep entities literal allowBooleanAttributes: true }); try { const json = parser.parse(xml); return res.json({ ok: true, parsed: json }); } catch { return res.status(400).send("Invalid XML"); } });

Hardening tips: disable DTD, refuse external entities, set strict Content-Type, cap size, timeouts, and outbound egress; prefer JSON over XML when possible.

Screenshot of our free Website Vulnerability Scanner

Screenshot of the free tools webpage where you can access security assessment tools.

Detection & Testing

Fuzz uploads/APIs with DTD payloads.

Inspect parser settings.

Scan your site for misconfigs and exposures using our free tool: https://free.pentesttesting.com/

Sample report from our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Managed IT Services (New)

Need patching, monitoring, and response built-in? We do that. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat-model LLM features, secure prompts, and guardrails for AI apps. https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients

Agencies/MSPs: white-label audits, reports, and retainer services. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Stay updated: Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713

Server-Side Request Forgery (SSRF) isn’t a React bug—it’s a backend flaw often triggered by frontend inputs. React/Next.js apps commonly expose a “proxy” or “fetcher” API that fetches URLs on behalf of the client. If that endpoint trusts user-supplied URLs, attackers can hit internal services (e.g., 169.254.169.254, localhost, VPC hosts) and exfiltrate secrets.

Visit our blog for more security guides: Pentest Testing Blog

How SSRF Sneaks In (Vulnerable Pattern)

Express proxy example (don’t use):

// /api/fetch?url=https://example.com app.get('/api/fetch', async (req, res) => { const url = req.query.url; // ❌ user controls target const r = await fetch(url); // ❌ unvalidated fetch res.status(200).send(await r.text()); });

An attacker sets url=http://169.254.169.254/latest/meta-data/ to read cloud metadata.

Safer Backend: Validate + Restrict Egress

Minimal allowlist + robust parsing:

import {parse} from 'url'; const ALLOW_HOSTS = new Set(['api.example.com','cdn.example.com']); app.get('/api/fetch', async (req, res) => { const u = parse(String(req.query.url || ''), true, true); if (!u.protocol?.startsWith('http')) return res.status(400).send('Bad URL'); if (!u.hostname || !ALLOW_HOSTS.has(u.hostname)) return res.status(403).send('Blocked'); const r = await fetch(`${u.protocol}//${u.host}${u.path}`, { method:'GET' }); res.type('text/plain').send(await r.text()); });

Tips

Use an allowlist of domains, never a blocklist.

Normalize/parse URLs; reject IP literals, redirects, and non-HTTP(S).

Force GET or specific verbs; strip headers; set short timeouts.

Next.js API Route Hardening

// /pages/api/fetch.ts import type { NextApiRequest, NextApiResponse } from 'next'; const ALLOW = ['api.example.com']; export default async function handler(req: NextApiRequest, res: NextApiResponse) { const url = new URL(String(req.query.url || ''), 'http://dummy'); if (!['http:', 'https:'].includes(url.protocol)) return res.status(400).end(); if (!ALLOW.includes(url.hostname)) return res.status(403).end(); const r = await fetch(url.toString(), { method: 'GET' }); res.status(200).send(await r.text()); }

React Side: Don’t Let Users Choose Targets

Frontend code should never let users input arbitrary URLs for the server to fetch. Prefer selecting from predefined options:

// Good: user chooses a key, server maps to a safe URL on the backend const targets = [{key:'status', label:'Status'}]; fetch(`/api/fetch?key=status`);

Test Your Site (Free)

Run a quick scan to surface misconfigurations and risky endpoints: Try our Free Website Vulnerability Scanner

Screenshot of the Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.

After scanning, review the findings and prioritize SSRF/proxy fixes.

Sample report by our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Practical Monitoring & Detection

Log outbound requests with destination host/IP and requester.

Alert on calls to link-local, RFC1918, or unexpected internal hosts.

Pin egress through a controlled proxy; deny private ranges by default.

Managed IT Services (New)

Need hands-on help hardening servers, CI/CD, and egress rules? Explore our Managed IT Services for ongoing protection and response.

AI Application Cybersecurity

Building LLM or AI-driven features? Lock down model plugins, webhooks, and data exfil paths with our AI Application Cybersecurity program.

Offer Cybersecurity to Your Clients

Agencies/MSPs can resell our audits and scanning under your brand. Learn more: Offer Cybersecurity Service to Your Client

Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713

Modern React runs in the browser, so raw “RCE” on a user’s machine isn’t typical. But React projects can still trigger remote code execution via XSS that escalates in Electron/SSR, malicious npm scripts, or unsafe backend code that your frontend calls. Below are concise, copy-pasteable fixes—and a quick way to check your site with our Free Website Vulnerability Scanner.

Visit our blog for more tips: https://www.pentesttesting.com/blog/

1) XSS → RCE in Electron/SSR pipelines

Avoid injecting HTML. This is vulnerable:

// ❌ Vulnerable function Bio({ htmlFromUser }) { return <div dangerouslySetInnerHTML={{ __html: htmlFromUser }} />; }

Sanitize or render as text:

// ✅ Safer: sanitize before inject import DOMPurify from 'dompurify'; function Bio({ htmlFromUser }) { const clean = DOMPurify.sanitize(htmlFromUser, { USE_PROFILES: { html: true }}); return <div dangerouslySetInnerHTML={{ __html: clean }} />; } // ✅ Safest: no HTML injection at all function BioSafe({ text }) { return <p>{text}</p>; }

Screenshot of our Website Vulnerability Scanner tool page

Screenshot of the free tools webpage where you can access security assessment tools.

2) npm supply-chain → developer/CI RCE

Watch for risky scripts or unknown deps.

{ "scripts": { "postinstall": "node scripts/setup.js" }, "dependencies": { "some-unknown-lib": "^1.0.0" } }

Harden:

Pin & lock: npm ci in CI.

Block scripts in CI: npm ci --ignore-scripts.

Use 2FA, audit regularly: npm audit fix --omit=dev.

Allowlist registries; review maintainers for new deps.

3) Backend helpers called by React

RCE often lives server-side. Never evaluate user input.

// ❌ Vulnerable (Node/Express) app.post('/run', (req, res) => { const { code } = req.body; // from client 🤯 const output = eval(code); // RCE res.json({ output }); }); // ✅ Safe alternative const ALLOWED = { ping: () => 'pong' }; app.post('/run', (req, res) => { const { action } = req.body; if (!ALLOWED[action]) return res.status(400).end(); res.json({ output: ALLOWED[action]() }); });

Add basic headers:

// Helmet for sane defaults import helmet from 'helmet'; app.use(helmet());

Quick React RCE Prevention Checklist

No dangerouslySetInnerHTML without strict sanitization.

Strict CSP & SRI for third-party scripts.

Lockfiles, --ignore-scripts in CI, periodic audits.

Treat server as the blast radius; validate & whitelist.

Run a fast public scan before releases.

Sample assessment report by our tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Try it now: https://free.pentesttesting.com/

Services to Strengthen Your Stack

Managed IT Services Proactive monitoring, patching, and response tailored for engineering teams. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity Threat modeling & red-teaming for LLMs, prompt injection, data leakage. https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients White-label assessments and reports you can resell. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Stay Updated

Why Broken Access Control Hits React Apps

Broken Access Control (BAC) happens when users can access pages or actions they shouldn’t—think non-admins opening admin panels or reading another user’s data. React is client-side, so never trust the UI alone. Enforce on the server and verify in the browser.

Anti-Pattern: Hiding UI ≠ Security

If you only hide buttons, determined users can still call your APIs.

// ❌ Anti-pattern {user.role !== 'admin' ? null : <button onClick={deleteAnyUser}>Delete User</button>}

Anyone can hit the endpoint directly. We must guard both the route and the API.

Step 1: Protect Routes (React Router v6)

Create a reusable gate that checks auth/roles before rendering.

// ProtectedRoute.jsx import { Navigate, Outlet } from "react-router-dom"; export default function ProtectedRoute({ user, allow = [] }) { if (!user) return <Navigate to="/login" replace />; if (allow.length && !allow.includes(user.role)) return <Navigate to="/403" replace />; return <Outlet />; }

Use it in your router:

// App.jsx <Route element={<ProtectedRoute user={user} allow={['admin']} />}> <Route path="/admin" element={<AdminPage />} /> </Route>

Screenshot of our Free Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.

Visit https://free.pentesttesting.com/ to scan your site and uncover access control gaps.

Sample Report from the tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Step 2: Enforce on the Server (Express)

Even with protected routes, the server is the final bouncer.

// server/authz.js export function requireRole(...roles) { return (req, res, next) => { if (!req.user) return res.status(401).json({ msg: "Login required" }); if (roles.length && !roles.includes(req.user.role)) { return res.status(403).json({ msg: "Forbidden" }); } next(); }; }

Apply to sensitive endpoints:

// server/routes.js app.delete("/api/users/:id", requireRole("admin"), (req, res) => { // Only admins can delete users });

Step 3: Ownership Checks (IDOR Defense)

Don’t let users read others’ data (classic BAC/IDOR).

// server/ownership.js app.get("/api/orders/:orderId", (req, res) => { const order = db.orders.find(o => o.id === req.params.orderId); if (!order) return res.status(404).end(); if (order.userId !== req.user.id && req.user.role !== "admin") return res.status(403).end(); res.json(order); });

In React, do not trust route params alone:

// Orders.jsx // ✅ The server enforces ownership; client just handles responses const res = await fetch(`/api/orders/${orderId}`, { credentials: "include" }); if (res.status === 403) setError("You don't have access to this order.");

Step 4: Defense-in-Depth Tips

Put role/permissions in JWT claims, but validate server-side.

Prefer allow-lists over block-lists for routes/actions.

Return 403 for forbidden and 404 for non-discoverable resources.

Log denied attempts for detection and response.

Regularly scan your site: https://free.pentesttesting.com/

Quick Checklist (Copy/Paste)

[ ] ProtectedRoute for auth + roles

[ ] Server middleware requireRole()

[ ] Ownership checks (userId === resource.userId)

[ ] Hide UI and block API

[ ] Automated scans & reviews

More Learning & Services

Read more on our blog: https://www.pentesttesting.com/blog/

Managed IT Services

Hardening, patching, monitoring, and rapid response for BAC and other risks. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Secure LLM/AI features (prompt injection, authz bypass, data egress). https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients

Agencies/MSPs: resell our assessments and hardening with white-label support. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Stay in the Loop

Security misconfiguration is a top cause of real-world breaches. In React apps, tiny defaults—left unchanged—can leak secrets, weaken browser defenses, or expose internals. Here’s a concise, code-heavy guide to spot and fix the usual suspects (fast).

1) Leaky .env & exposed secrets

In React (especially CRA/Vite), variables prefixed for the client end up in the bundle. Never place secrets here—store them server-side.

# ✅ frontend-safe only (non-secrets) REACT_APP_API_BASE=https://api.example.com # ❌ never do this # REACT_APP_STRIPE_SECRET=sk_live_... // src/api.js export const API = `${import.meta.env.VITE_API_BASE ?? process.env.REACT_APP_API_BASE}`;

Quick check: Build and search your bundle for sensitive strings before deploying.

2) Over-permissive CORS via “frontend fixes”

If your API accepts * or mirrors any Origin, attackers can abuse user sessions. Don’t “fix” CORS in React; fix it at the API.

// ❌ anti-pattern: trying to force CORS in the browser fetch(API + "/profile", { mode: "no-cors", credentials: "include" }); // ✅ rely on server CORS; frontend just calls it normally fetch(`${API}/profile`, { credentials: "include" });

3) Public source maps in production

Source maps aid debugging—but can leak internal paths, comments, or code structure.

# CRA export GENERATE_SOURCEMAP=false # Vite (vite.config.js) export default { build: { sourcemap: false } }

Quick check: Ensure *.map files aren’t publicly served.

4) Missing security headers when self-hosting

If you serve your React build via Node/Express, set solid headers:

// server.js import express from "express"; import helmet from "helmet"; const app = express(); app.use(helmet({ contentSecurityPolicy: false })); // add CSP separately below app.use(express.static("dist"));

5) Weak or absent CSP

Use a strict baseline and only relax as needed.

// App.jsx (React Helmet) import { Helmet } from "react-helmet"; export default function App() { return ( <> <Helmet> <meta httpEquiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://api.example.com; base-uri 'self'; frame-ancestors 'none'" /> <meta httpEquiv="X-Content-Type-Options" content="nosniff" /> <meta httpEquiv="Referrer-Policy" content="no-referrer" /> </Helmet> {/* ... */} </> ); }

6) Verbose errors in production

Hide stack traces and catch UI errors.

// ErrorBoundary.jsx export class ErrorBoundary extends React.Component { state = { hasError: false }; static getDerivedStateFromError() { return { hasError: true }; } componentDidCatch(err, info) { /* log to server */ } render() { return this.state.hasError ? <p>Something went wrong.</p> : this.props.children; } }

Screenshot of the free Website Vulnerability Scanner showing the scan form.

Screenshot of the free tools webpage where you can access security assessment tools.

Run an instant external check on your site: https://free.pentesttesting.com/ Read more practical write-ups: https://www.pentesttesting.com/blog/

Sample Assessment Report generated by the free tool to check Website Vulnerability.

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Quick Wins Checklist

No secrets in .env bundles ✅

API sets strict CORS (no *) ✅

Source maps disabled in prod ✅

Security headers + CSP enabled ✅

Graceful error boundaries ✅

Need hands-on help?

Managed IT Services: end-to-end ops & hardening — https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity: secure LLM & AI workflows — https://www.pentesttesting.com/ai-application-cybersecurity/

Partner Program for Agencies: resell/white-label — https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Why Sensitive Data Leaks in React

React apps run in the browser, so anything shipped in your bundle is public. Common leak paths:

Hardcoded secrets in components

Storing tokens in localStorage/sessionStorage

Verbose logs and error pages

Misconfigured build pipelines exposing .env values

Over-permissive CORS and missing CSP

Explore more security topics on our blog: Pentest Testing Corp — Blog

Bad vs Good: Secrets in Components

❌ Bad (hardcoded key — instantly public):

// ProductList.jsx const API_KEY = "sk_live_123456"; // ❌ leaked fetch(`https://api.example.com/items?key=${API_KEY}`) .then(r => r.json()) .then(setItems);

✅ Good (proxy via backend):

// ProductList.jsx fetch("/api/items") // no secret in client .then(r => r.json()) .then(setItems); // server.js (Node/Express) app.get("/api/items", async (req, res) => { const r = await fetch("https://api.example.com/items", { headers: { Authorization: `Bearer ${process.env.API_KEY}` } }); res.json(await r.json()); });

Don’t Store Tokens in Web Storage

❌ Bad (XSS can steal it):

localStorage.setItem("jwt", token);

✅ Better (HTTP-only, Secure cookie set by server):

// server.js res.cookie("session", jwt, { httpOnly: true, secure: true, sameSite: "Lax", maxAge: 3600_000 }).sendStatus(204);

Client requests automatically include the cookie; no JS access needed.

Free Website Vulnerability Scanner | Pentest Testing Corp

Screenshot of the free tools webpage where you can access security assessment tools.

Sample Assessment report to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Keep .env Values Off the Client

Build tools replace process.env.* at build time. Anything injected becomes public.

✅ Server-only secret and client-safe config:

# .env (server only) API_KEY=sk_live_server_only PUBLIC_API_BASE=/api # safe to expose // server.js app.get("/api/config", (_req, res) => { res.json({ base: "/api", features: ["search"] }); // no secrets });

✅ Git hygiene:

.env .env.*

Redact Logs & Errors

❌ Bad:

console.error("Payment failed", { token, cardNumber }); // leaks PII

✅ Good:

const redact = v => String(v).replace(/\w/g, "•"); console.error("Payment failed", { token: redact(token) });

Lock Down the Browser Surface

Content Security Policy (mitigates data-exfil via XSS):

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; connect-src 'self' https://api.example.com; object-src 'none'; base-uri 'self'; frame-ancestors 'none'">

CORS (server side, narrow origins only):

app.use(cors({ origin: ["https://yourapp.com"], credentials: true }));

Quick Checklist

No API keys in React source or envs bundled to the client

Tokens in HTTP-only cookies, not localStorage

Minimal logs; redact sensitive fields

Strict CSP & CORS; dependency updates reviewed

Run an external scan after each release

Scan now: Free Website Security Scanner

Managed Help & Advanced Services

Need IT stability + security? See our Managed IT Services.

Building with AI? Lock it down with AI Application Cybersecurity.

Agencies/MSPs: White-label with Offer Cybersecurity Service to Your Client.

Broken authentication is a top cause of account takeover in single-page apps. In React, small client-side mistakes—like where you store tokens or how you guard routes—can snowball into real risk. This guide shows what breaks, how to fix them fast, and how to validate your site with our free scanner.

How Broken Auth Happens in React

Tokens in localStorage (easy to steal via XSS).

Weak JWT handling (no rotation/expiry check).

Cookie auth without CSRF protection.

Unguarded routes exposing sensitive pages.

Sloppy password reset flows.

No MFA step-up for risky logins.

Screenshot of our free Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.

Secure Patterns (with code)

1) Don’t store tokens in localStorage

Bad

// token persists and is readable by JS localStorage.setItem("token", jwt);

Good (cookie + CSRF)

// server sets httpOnly, Secure, SameSite=Strict cookie // include CSRF header from meta tag or server-provided value fetch("/api/login", { method: "POST", credentials: "include", headers: { "X-CSRF-Token": window.csrf }, body: JSON.stringify({ email, password }) });

2) Guard private routes (React Router v6)

import { Navigate, Outlet } from "react-router-dom"; const Private = ({ user }) => user?.sessionValid ? <Outlet/> : <Navigate to="/login" replace />;

3) Throttle login UI (plus server rate-limit)

let last = 0; const tryLogin = () => { const now = Date.now(); if (now - last < 3000) return; // simple client throttle last = now; doLogin(); };

4) Handle password-reset tokens safely

// Never log or store reset tokens client-side const token = new URLSearchParams(location.search).get("t") || ""; await fetch("/api/reset", { method: "POST", credentials: "include", headers: { "Content-Type":"application/json", "X-CSRF-Token": window.csrf }, body: JSON.stringify({ token, newPassword }) });

5) Add MFA step-up when required

if (resp.mfaRequired) setStage("mfa"); const submitOtp = code => fetch("/api/verify-otp", { method:"POST", credentials:"include", headers:{ "Content-Type":"application/json","X-CSRF- Token":window.csrf }, body: JSON.stringify({ code }) });

Sample Assessment Report by our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Quick Checklist

Use httpOnly cookies + SameSite=Strict, rotate tokens, short TTLs.

Protect all sensitive routes; verify session freshness.

Enforce server-side rate limiting & IP/device risk scoring.

Require MFA for high-risk events (new device, admin actions).

Validate with our free scanner: https://free.pentesttesting.com/

Read deeper tutorials: https://www.pentesttesting.com/blog/

Services You Can Leverage

Managed IT Services

Harden identity, endpoints, and M365 with proven controls. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat-model and test AI features (prompt/LLM risks, data leakage). https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients

White-label pentesting & compliance to expand your revenue. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Stay Updated

IDOR happens when a user can access someone else’s data just by changing an ID in the URL or request. React alone can’t prevent it—your API must enforce authorization. Here’s how to spot and fix it fast.

A quick vulnerable pattern (don’t do this)

// ❌ IDOR: anyone can load /api/users/42 useEffect(() => { fetch(`/api/users/${params.id}`) .then(r => r.json()) .then(setUser); }, [params.id]);

If an attacker switches params.id to another user’s ID, they may see private data.

Safer client pattern

// ✅ Ask backend for *current* user, not an arbitrary ID useEffect(() => { fetch('/api/me', { credentials: 'include' }) .then(r => r.json()) .then(setUser); }, []);

Pair this with strict server checks (below). Also hide direct IDs in the UI and avoid relying on client-side checks.

Mandatory server-side authorization

// ✅ Enforce ownership on the server (Node/Express example) app.get('/api/users/:id', auth, async (req, res) => { if (req.user.id !== req.params.id && !req.user.isAdmin) { return res.status(403).json({ error: 'Forbidden' }); } const user = await db.users.findById(req.params.id); res.json(sanitize(user)); });

Rules of thumb: never trust client-supplied IDs, always verify resource ownership, and return only the fields the caller is allowed to see.

GraphQL note

# ❌ Insecure: lets callers query arbitrary users by id user(id: ID!): User # ✅ Safer: resolve from auth context me: User

Batch & list endpoints

// ✅ Filter by owner on the server app.get('/api/orders', auth, async (req, res) => { const orders = await db.orders.findMany({ ownerId: req.user.id }); res.json(orders.map(sanitize)); });

Screenshot — Free Website Vulnerability Scanner

Screenshot of the free tools webpage where you can access security assessment tools.

Sample report by the tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Test your app now (free)

Before you ship, scan your site with our Free Website Security Scanner: https://free.pentesttesting.com/ Want more deep dives? Browse our blog: https://www.pentesttesting.com/blog/

Managed IT Services

Scale securely with 24/7 monitoring, patching, and incident response. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat modeling, secure ML pipelines, and red teaming for AI apps. https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity Service to Your Client

White-label/partner options to add security services to your portfolio. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

Subscribe for updates

Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713

Final checklist

Replace vulnerable ID fetches with context-aware endpoints (/api/me).

Enforce authorization on every resource server-side.

Return only permitted fields; log and alert on access denials.

Why CSRF Still Breaks Modern SPAs

Cross-Site Request Forgery (CSRF) tricks a user’s browser into sending authenticated requests to your API without consent. React doesn’t automatically protect you—your API and cookie strategy must.

Goals:

Send a CSRF token with every state-changing request.

Verify that token server-side.

Lock down cookies (HttpOnly, Secure, SameSite).

Minimal Controls You Should Enable

SameSite cookies (Lax or Strict) to block most cross-site requests.

CSRF token (per session or per request).

Custom header (e.g., X-CSRF-Token) that browsers don’t add automatically.

CORS + Credentials only when necessary, and scope origins tightly.

Server: Issue Token + Verify (Express)

// server/csrf.js import crypto from "crypto"; import express from "express"; const app = express(); app.use(express.json()); // issue token cookie (double-submit pattern) app.get("/csrf-token", (req, res) => { const token = crypto.randomBytes(32).toString("hex"); // session cookie (HttpOnly) + token cookie (readable by JS) res.cookie("sessionId", "abc123", { httpOnly: true, secure: true, sameSite: "Lax" }); res.cookie("csrfToken", token, { httpOnly: false, secure: true, sameSite: "Lax" }); res.json({ ok: true }); }); // verify on protected routes function verifyCsrf(req, res, next) { const header = req.get("X-CSRF-Token"); const cookie = req.cookies?.csrfToken; if (!header || !cookie || header !== cookie) return res.status(403).json({ error: "CSRF" }); next(); } app.post("/profile", verifyCsrf, (req, res) => res.json({ updated: true }));

React: Attach Token Automatically (fetch)

// src/api.js export async function api(url, options = {}) { const csrf = document.cookie.split("; ").find(c => c.startsWith("csrfToken="))?.split("=")[1]; const headers = { ...(options.headers || {}), "X-CSRF-Token": csrf || "" }; const res = await fetch(url, { credentials: "include", ...options, headers }); if (!res.ok) throw new Error(`HTTP ${res.status}`); return res.json(); }

Screenshot of our free Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.

React: Axios Interceptor (alternative)

// src/axios.js import axios from "axios"; const api = axios.create({ withCredentials: true }); api.interceptors.request.use(cfg => { const csrf = document.cookie.split("; ").find(c => c.startsWith("csrfToken="))?.split("=")[1]; cfg.headers["X-CSRF-Token"] = csrf || ""; return cfg; }); export default api;

Harden Cookies (Node/Express)

res.cookie("sessionId", sid, { httpOnly: true, secure: true, // true in HTTPS sameSite: "Lax", // consider "Strict" if UX allows path: "/", });

Sample report generated by your free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Quick Test Flow

GET /csrf-token to receive sessionId + csrfToken cookies.

Make a POST via api("/profile", { method:"POST", body: JSON.stringify(data) }).

Server compares header vs. cookie → blocks forged requests.

Bonus Tips

Rotate token on login and significant privilege changes.

Deny Content-Type: text/plain bypasses by requiring JSON and checking headers.

Prefer SameSite=Lax (or Strict if your flows permit).

For multi-origin apps, pin CORS origin and require credentials.

Keep Learning

Read more on our blog: https://www.pentesttesting.com/blog/

Scan your site free: https://free.pentesttesting.com/

Our Services

Managed IT Services

Reliable uptime, patching, monitoring, and rapid incident response. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat modeling, model abuse testing, prompt-injection defenses. https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity to Your Clients

White-label pen testing and assessments for agencies/MSPs. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

React runs in the browser, but your React + API stack can still leak data if your backend builds SQL unsafely. This guide shows the safest patterns to keep your React apps free from SQL injection, with compact copy-paste snippets.

1) Core principle: never concatenate SQL

Vulnerable (don’t do this)

// Node/Express + pg (bad) app.get("/user", async (req, res) => { const id = req.query.id; // "1 OR 1=1" const rows = await db.query(`SELECT * FROM users WHERE id = ${id}`); res.json(rows.rows); });

Safe: parameterized queries

// Node/Express + pg (good) app.get("/user", async (req, res) => { const id = Number(req.query.id); const { rows } = await db.query("SELECT * FROM users WHERE id = $1", [id]); res.json(rows); });

Screenshot of our free Website Vulnerability Scanner homepage

Screenshot of the free tools webpage where you can access security assessment tools.

2) Use query builders/ORMs that default to parameters

Knex.js

knex("users").where({ id: req.query.id }).first();

Prisma

const user = await prisma.user.findUnique({ where: { id: Number(req.query.id) } });

Sequelize

User.findOne({ where: { id: req.query.id } });

3) Whitelist everything that can vary

Never pass raw field names/order from the client.

// Allow-list sort fields & directions const SORT_FIELDS = new Set(["created_at","email"]); const DIR = new Set(["asc","desc"]); const sort = SORT_FIELDS.has(req.query.sort) ? req.query.sort : "created_at"; const dir = DIR.has((req.query.dir||"asc").toLowerCase()) ? req.query.dir : "asc"; const { rows } = await db.query( `SELECT email, created_at FROM users ORDER BY ${sort} ${dir}` // safe: values are controlled );

4) Validate at the edge (before the DB)

// zod validation import { z } from "zod"; const schema = z.object({ id: z.coerce.number().int().positive() }); const { id } = schema.parse(req.query);

React form sanity-check

const onSubmit = (e) => { e.preventDefault(); if (!/^\d+$/.test(id)) return setErr("ID must be a positive integer"); fetch(`/user?id=${id}`); };

5) Safe search endpoints

Bad

db.query(`SELECT * FROM products WHERE name LIKE '%${req.query.q}%'`);

Good

db.query("SELECT * FROM products WHERE name ILIKE $1", [`%${req.query.q}%`]);

Sample vulnerability report by our free tool to check Website Vulnerability

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

6) Don’t leak internals

try { // ...db call } catch { res.status(400).json({ error: "Invalid request" }); // no raw SQL error messages }

7) CI/CD safety net

Scan your site with our free Website Security Checker to spot risky endpoints early: https://free.pentesttesting.com/

Schedule regular scans after each deployment.

More learning & resources

Read more on the Pentest Testing Corp. Blog: https://www.pentesttesting.com/blog/ Subscribe on LinkedIn https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=7327563980778995713

Our Services (quick links)

Managed IT Services

Proactive monitoring, patching, and response to keep your React + API stack healthy. https://www.pentesttesting.com/managed-it-services/

AI Application Cybersecurity

Threat modeling and testing for LLM/AI features that touch your databases. https://www.pentesttesting.com/ai-application-cybersecurity/

Offer Cybersecurity Service to Your Client

White-label pentesting you can resell with confidence. https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

TL;DR checklist

✅ Always use parameterized queries

✅ Whitelist columns/order for sorting/filtering

✅ Validate inputs at API edge & UI

✅ Hide SQL errors from users