TL;DR

  • Check v-html usage and any dynamic bindings like :href, :src, :style, :class.
  • Look for open redirects in vue-router (e.g. ?redirect= or #/...).
  • Inspect Vuex/localStorage usage for tampering and trust boundaries.
  • Hunt for sourcemaps, exposed API keys, and dev-mode artifacts.
  • If PHP is the backend, review JSON-in-script rendering and CSRF.

Quick Checklist (Vue + PHP)

Frontend (Vue)

  • v-html usage
    • Find all v-html occurrences.
    • Test input with "><img src=x onerror=alert(1)> and <svg/onload=alert(1)>.
  • Dynamic attributes
    • Review :href, :src, :style, :class.
    • Try javascript: or CSS injection where user input flows.
  • Router handling
    • Test ?redirect=http://evil.com or hash routes like #/evil.
    • Look for router.push(userInput) and weak allowlists.
  • State/storage manipulation
    • Tamper Vuex, localStorage, sessionStorage and observe API calls or UI decisions.
  • Dev artifacts
    • Check for .map files (e.g. main.js.map).
    • Look for exposed keys, internal URLs, debug flags.

Server to Client (PHP -> Vue)

  • Unescaped JSON in HTML
    • Example risk: <script>window.appData = <?= json_encode($data) ?>;</script>.
    • Test with "><img src=x onerror=alert(1)> or </script><svg/onload=alert(1)>.
  • HTML injection via PHP variables
    • Check data-*, inline scripts, or inline styles.
  • Stored content injection
    • If API/DB content renders into Vue without sanitization, Stored XSS is possible.

Backend (PHP APIs)

  • CSRF with session cookies
    • If Vue uses cookie-based sessions, verify CSRF protections exist.
  • Auth bypass / token flaws
    • If JWT is stored in localStorage, test signature validation and alg handling.
  • File upload risks
    • If uploaded files are rendered directly, test for Stored XSS or RCE.
  • Parameter pollution
    • Test id=1&id=2 and array-like params.
  • Prototype pollution
    • Test JSON payloads like {"__proto__":{"polluted":"1"}}.

Shared (Vue + PHP)

  • CORS misconfig
    • Access-Control-Allow-Origin: * with credentials is a red flag.
  • Rate limiting
    • Try brute force and high-volume requests.
  • Sensitive data exposure
    • Check window.__INITIAL_STATE__, window.appData, logs, and headers.
  • Version leaks
    • Vue.version in dev mode, PHP version headers, or phpinfo() exposure.

Common Issues and How to Test

1) XSS via v-html and bindings

  • v-html renders raw HTML. If user input flows into it, DOM XSS is likely.
  • Dynamic bindings can accept untrusted input, e.g. :href, :src, :style.

Test ideas:

  • "><img src=x onerror=alert(1)>
  • <svg/onload=alert(1)>
  • javascript:alert(1) in URL-like bindings

2) State abuse (Vuex / localStorage)

  • Many apps cache state in localStorage and read it back into Vuex.
  • If the backend trusts client state, you can escalate privileges or trigger logic.

Test ideas:

  • Modify stored roles or flags and reload.
  • Intercept API requests and observe permission checks.

3) Prototype pollution

  • Vue handles lots of objects; unsafe merges of attacker-controlled JSON can pollute prototypes.

Test ideas:

  • {"__proto__":{"isAdmin":true}} in API payloads or query params.

4) Router misconfiguration

  • Unvalidated redirects or route parameters can lead to open redirects or phishing.

Test ideas:

  • ?redirect=http://evil.com
  • router.push(userInput) with missing allowlists

5) Dev-mode and sourcemap leaks

  • Dev builds or sourcemaps can expose internal routes, secrets, or business logic.

Test ideas:

  • Check for .map files next to JS bundles.
  • Inspect global hooks like __VUE_DEVTOOLS_GLOBAL_HOOK__.

Vue in a PHP Environment

Typical integration

  • PHP renders a base HTML shell.
  • Vue hydrates the UI and fetches data via APIs.
  • Data flows:
    • PHP -> JSON -> Vue (inline window.appData)
    • API requests (AJAX / fetch)

Common PHP + Vue risks

  • Unescaped PHP data injected into JS or HTML.
  • Vue rendering untrusted API data without sanitization.
  • CSRF gaps when Vue uses session cookies.
  • File uploads rendered directly by the frontend.

Notes

  • Always trace where input originates and where it lands (DOM, attributes, APIs).
  • If you find one untrusted path, search for similar patterns across the codebase.