rslay / zerochat Goto Github PK

Webapp pentesting is a skill that will be needed to make sure ZeroChat is a secure application. I am almost certain that there is something vulnerable - there are already more than 700 lines of code at the first commit.
I will prioritize the following:

• Research memory leaks and how to detect/exploit and avoid them or protect against exploitation
• Reduce code size and attack surface
• Make the program more modular so that debugging and bug hunting/fixing becomes easier
• Use fuzzers and try to break the server/take it down/inject malicious code
• Automatically detect and block DDoS attempts

In-chat settings iframe that updates CSS on chat body.
Should have options for:

• Hiding or showing file previews in the browser
• Let the user unload the chat history
• Change themes

Hello, how i can to connect my domain to my website? I use cloudflare flexible SSL, and i need use domain name. How? If i use redirect, i take something strange - web is crashed when i try write message.
For example: https://hive.slainscraft.com/

Move over codebase and HTTP requests to express.js, instead of just using the HTTP library available to NodeJS.

Probably not a good idea to store entire files as base64 data in variables and pass them through a bunch of functions - preferable to utilize an in-memory file system that only converts files to base64 when needed by the browser and to have it kept in one memory location in all other situations

Possible library option: https://github.com/streamich/memfs

Add a command line arguments, including:

• Setting listening port via a -p flag
• Enabling logging verbosity with -v flag and setting logging off by default

Users who try to upload files larger than given limit should have the upload stop if it goes past a certain filesize.

Optimal solution is to check filesize before letting the user start uploading, but it may not be that straightforward since clients can lie. Got to stop the upload the second it passes the filesize limit

Currently, messages are stored in the msg array as JSON, but never deleted or removed.
At an interval, these should be removed. Perhaps the messages should be stored on the heap, or maybe that is not the best approach. Some research will need to be done on how NodeJS handles memory allocation, and to make sure no memory leaks are happening.

The concept of private/secret rooms seems like an ideal feature to have in case you want to have a private conversation with multiple people and PMs don't suffice.

Make it possible for users in the same frequency/channel to send messages to each other privately

Make iframes restricted and only able to submit forms.

Potentially, the chat itself could be moved off into an iframe for sandboxing user messages in case something is vulnerable, so that all attempts at XSS would be negated.

Add a rolling identification key for posting, so that if the viewing key is compromised on the user's end, nobody can pretend to be them with an old key.
Since the passcode is already secured and only sent over once, this would be the next step to secure the identification method for users

Related to issue #2

At the moment, users seem to stay in the chat, server-side, even after disconnecting.
There will need to be a remove of users once their connection is lost.