7 Security Risks and Hacking Stories for Web Developers

7 Security Risks and Hacking Stories for Web Developers

Top 7 security concepts 🛡️ and hacking stories for Web Developers 🎭 that every JavaScript developer should know about: Zero-day, Vulnerable packages, XSS, SQL Injection, Credential Leaks, Principle of Least Privilege, DDoS

Cloud providers and web application frameworks go to great lengths to protect you from writing insecure code. The Cloud provides secure defaults and monitoring for your infrastructure, while Angular and React automatically sanitize HTML to prevent the injection of malicious JavaScript. Despite these safeguards, no application is 100% secure and clever new exploits will be discovered. The following lesson explains some of the most common hacking techniques and how to secure your app against them.

1. Zero-day Vulnerability

A zero-day vulnerability is a weakness that is unknown or unfixed as of today. When a hacker decides to attack this weakness, it’s called zero-day exploit.

After it becomes known, you can think of it as a one-day or 20-day exploit based on the time since initial discovery.

2. Packages with Known Vulnerabilities

In 2017, the Equifax Data Breach exposed more than 140MM customer records and has cost the company over $1 billion. It was caused by a known exploit over two months old that could have been prevented with a simple update to Apache Struts.

Using packages with known vulnerabilities is the most common way hackers exploit web apps.

Audit your current NPM project using the audit command. Then update your dependencies as needed.

npm audit

npm audit fix

3. Cross-site Scripting (XSS)

The Samy worm was an XSS attack that spread to over 1 million MySpace pages in 24 hours. If affected, it would updated your profile to say but most of all, samy is my hero Cross Site Scripting occurs when a hacker runs malicious JavaScript on a client’s browser. In can happen in a variety of ways, but is commonly the result of rendering raw HTML from the server.

A diagram of a typical Cross Site Scripting attack

A diagram of a typical Cross Site Scripting attack

  1. Hacker saves some JS code to the database like <script>alert('you got got')</script> by submitting a comment via the web app.
  2. The victim user visits the webpage with that comment, but the developer did not sanitize the hackers comment, so the browser thinks it’s a trusted script/html.
  3. At this point, the hacker’s JS is running as if it were the end-user.

4. SQL Injection

In 2008, Heartland Payment Systems exposed the data encoded on credit cards via a SQL injection attack. The hackers used this data to make physical counterfeit credit cards. The ringleader, Albert Gonzalez, was caught and sentenced to 20 years in prison.

SQL injection is similar conceptually to XSS, but instead it runs malicious code on the database.

Notice how the code below relies on an external parameter to construct the query. If not not sanitized, an attacker can submit raw SQL code and the database will execute it.

"SELECT * FROM users WHERE uid='" + request.getParameter("uid") + "'";

Most ORMs will prevent SQL injection attacks because you do not construct the queries on your own. However, there have been hacks on ORMs directly, so again, nothing is 100% secure.

5. Credential Leaks

Many APIs and Cloud Providers provide API keys that allow you to interact with paid services. If a hacker discovers a secret API key it can be used to take destructive action on your behalf. There are a few ways credentials are leaked.

  1. Using API keys directly in source code, then pushing the repo to Github.
  2. Using API keys directly in source code, then bundling them in your production app.

You can prevent credential leaks by NOT putting them in your source code. Instead, use environment variables or a service like Secret Manager.

6. Principle of Least Privledge

In the event that your credentials are compromised, you can mitigate the damage by following the Principle of Least Privledge. Basically, this means grant access only when it is absolutely required.

A good example is Firestore Database Rules, which allow you to customize the permissions of an API key. When defining rules, you should always start by locking down everything, then selectively allow access as needed.

7. DDoS Attacks

In 2018, Github survived the largest DDoS attack in history after it was bombarded with 1.35 terabits of data per second. It only took the site down for about ten minutes thanks to a backup service, Akamai, which re-routed traffic and blocked the spoofed requests.

A DDoS attack attempts to flood the a service with so much traffic that it simply shuts down. The attack is typically distributed via many spoofed sources, making it impossible to just block a single IP address.

For most developers, the best mitigation strategy is to use a large Cloud provider that has the bandwidth and monitoring capabilities to deal with such attacks.

hacking security web-development javascript

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Why Web Development is Important for your Business

With the rapid development in technology, the old ways to do business have changed completely. A lot more advanced and developed ways are ...

Important Reasons to Hire a Professional Web Development Company

    You name the business and I will tell you how web development can help you promote your business. If it is a startup or you seeking some...

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

10 JavaScript Hacks Every Web Developer Should Know

10 JavaScript Hacks Every Web Developer Should Know: How to Use Shortcuts for Conditionals; How to Convert to an Integral Using the ~~ Operator; Resize or Empty an Array Using array.length; How to Merge Arrays Without Causing Server Overload; How to Use Filters with Arrays; How to Extract Unique Values; How to Use the Replace Function Shortcut; How to Cache Variables; How to Check if an Object Has Values; How to Minify your JavaScript Files

Web Design and Development Services

Get Best out from Web Design and Development Services from Vinew Technologies,We have a dedicated team of experienced and knowledgeable web developers, designers and testers. Therefore, we have proficiency in analyzing, developing and designing the necessity of intricate Website Development projects.