This repository demonstrates a complete "Build, Break, and Fix" cycle. It showcases how common vulnerabilities are introduced and how to architect robust, production-grade defenses.
🔗 GitHub: https://github.com/kn-dev-code/task-manager-app
main Branch (Secure Version): The hardened build. Features include strict Zod input validation, JWT auth, RBAC, and sanitized API endpoints to mitigate OWASP Top 10 risks.
feat/vulnerable-branch (Vulnerable Version): Intentionally sabotaged to demonstrate security failures like NoSQL injection and broken access controls.
Frontend: React / TypeScript / Tailwind CSS Backend: Node.js / Express / TypeScript Database: MongoDB (Atlas) Security Testing: Vitest / Supertest
- Clone the repo: git clone https://github.com/kn-dev-code/task-manager-app.git
- Install dependencies: npm install (in both /frontend and /backend)
- Setup Environment: Create a .env in /backend (see .env.example)
- Start Dev: npm run dev
- Run Tests: npm test
• NoSQL Injection: (Fixed via Zod object-validation in auth services) • Mass Assignment: (Fixed by removing spread operators on User models) • Broken Access Control: (Fixed via RBAC middleware on /admin routes) • Stored XSS: (Fixed via React’s native DOM escaping + input sanitization)