Category: Security

0

How I got hundreds of YouTube Subscribers for free

There are websites that would gladly take your money in exchange for YouTube likes or Subscribers. These services always have a free plan, and in this article I will show I managed to trick the service to give me unlimited subscribers without paying and without actually participating in the like/subscribe exchange system that is put in place.

0

How to invalidate a JWT

In a past article, I wrote about JWTs, how to generate one and how to use them for authorization. JSON Web Tokens, however, have one major drawback. Once it is generated and submitted to the client, it can’t be easily made invalid. This is a big problem if the JWT got leaked and it did not expire (or worse, it does NOT have an expiration date). That is why it is important to make sure that your JWT can be...

0

Using “pepper” to increase password storing security

In a previous article I wrote how to securely store a password in the database. The article got the attention of many fellow developers and so I decided to improve it even more by writing this article. You see, even though it is very secure to store the password as a salted hash, there is an additional layer of security that can be added in order to make things even harder to crack: pepper. The “pepper” part is not meant...

0

Using JSON Web Tokens for Authorization

A useful feature of a web application is the possibility to authorize a client to access certain features of the app. Once authentication happens, it is important to also check that a client has access to the requested feature. An easy to use method is provided by a JSON Web Token. These can be easily generated, can hold the data needed for authorization, and most importantly, are secure. Let us look at how a JWT is generated by the server...

6

Exposing sequential IDs is bad! Here is how to avoid it.

When working on LOGaritmical, I initially had my primary keys defined as UUIDs. I took this approach for two reasons: security and to avoid collisions even when there are many rows. My initial reasoning was that I will probably need to store each log line in a separate entry and considering that one log can have a few thousands of lines, there was a small risk of overflowing the Integer. Was my reasoning correct? Probably not. Furthermore, I stumbled upon...

0

You should always do server-side validation! Always!

With JavaScript frameworks becoming more and more powerful, a lot of business logic is now done on the client side. This, however, can pose some security problems and here are three commonly found mistakes where server-side validation is omitted and parts of the web app are vulnerable because of this. We will be looking on role escalation, confidential information access, and more.

0

How to properly store a password in the Database

When I started LOGaritmical, one of the first functionalities that I implemented was registering a new user. This meant that I had to store the user’s password in the database in a secure way and I will need to be able to verify that the password entered during login is correct. This is something that is quite easy to implement incorrectly and you would be surprised (or not) at how many systems and websites store passwords in an incorrect way....