Pentest Pulse – Free Tools & Security Tips

SSRF isn’t a React bug—it’s a back-end flaw your React app can accidentally trigger. When a front-end sends a URL to an API that then fetches it server-side, attackers can pivot that API to read internal services, cloud metadata, or files. Read more security posts: https://www.pentesttesting.com/blog/ How React Front-Ends Accidentally Cause SSRF React UIs often have features like “Preview URL”, “Import from RSS”, or “Fetch webhook status”. If the server blindly fetches user-supplied URLs, it might access http://169.254.169.254/ (cloud creds), http://localhost:2375/ (Docker), or internal hosts like http://intranet-db:5432 . Vulnerable Pattern (React + Node) React component (sends any URL to the API): // Danger: lets users request any URL via your server export default function Preview() { const [url, setUrl] = React.useState(""); const [data, setData] = React.useState(""); const go = async () => { const res = await fetch("/api/fetch?url=...

Why “RCE in React” is a Real Risk React runs in the browser, but teams often pair it with Node.js (SSR/APIs), third-party packages, and build tools. Attackers abuse these touchpoints to turn a simple bug into Remote Code Execution (RCE) on the server, the CI runner, or even in hybrid shells like Electron. This guide explains the main paths and how to stop them. For more security insights, see our blog: Pentest Testing Blog . How RCE Reaches React Projects DOM XSS → Code Execution Untrusted HTML + dangerouslySetInnerHTML lets attackers run arbitrary JS, which can pivot to RCE in Electron or backend bridges. // ❌ Vulnerable: untrusted HTML dropped into the DOM export default function Post({ html }) { return <div dangerouslySetInnerHTML={{ __html: html }} />; } // ✅ Safer: sanitize first import DOMPurify from 'dompurify'; export function SafePost({ html }) { const clean = DOMPurify.sanitize(html, { USE_PROFILES: { html: true } }); return <div dangerousl...