ByteByteGo·1yEP150: 12 Algorithms for System Design Interviews
Learn about 12 key algorithms used in system design interviews, including Bloom Filter, Geohash, and Consistent Hashing. Understand the workings of Kubernetes, an open-source container orchestration platform, and explore the architecture of PostgreSQL, the popular database system. Additionally, discover important tips for API security.
Hacker News·1yI use Zip Bombs to Protect my Server
Traffic from bots is a major issue on the web, with many being malicious and aiming to exploit server vulnerabilities. Zip bombs can be used as a protective measure against these bots. A zip bomb is a small compressed file that expands to an enormous size, overwhelming the bot's server and causing it to crash. This method can be implemented by serving bots a deceptive file that they attempt to decompress, leading to system failures in less sophisticated bots. However, it is not foolproof and can be circumvented by more sophisticated scripts.
freeCodeCamp·50wHow Attackers Steal Data from Websites (And How to Stop Them)
Web attackers use various methods to steal data including phishing emails, SQL injection, cross-site scripting (XSS), brute force password attacks, malware, man-in-the-middle attacks, outdated software exploitation, and insecure API integrations. Defense strategies include user education, multi-factor authentication, input validation, HTTPS implementation, regular software updates, secure coding practices, and proper API security. The stolen data often ends up on the dark web where it's sold for identity theft and further attacks.
Ars Technica·41wAdult sites are stashing exploit code inside racy .svg files
Adult websites are exploiting SVG image files to embed malicious JavaScript code that automatically generates Facebook likes when users click on the images. Unlike traditional image formats, SVG files can contain executable code, making them vulnerable to attacks like cross-site scripting and clickjacking. The malicious code is heavily obfuscated using techniques like JSFuck to avoid detection, allowing these sites to artificially boost their social media engagement through unwitting user interactions.
YouTube·45wWebsite Hacking for Beginners | SQL Injection
A beginner-friendly demonstration of SQL injection attacks using a fake banking website. Shows how attackers can bypass login forms by manipulating SQL queries with techniques like '1=1' logic and comment injection (--). Explains the vulnerability occurs when user input isn't properly validated, allowing unauthorized access and potential data theft. Emphasizes this is one of the top three OWASP critical vulnerabilities and mentions advanced tools like Burp Suite and SQLMap for automated attacks.
TechCrunch·1yHow OpenAI’s bot crushed this seven-person company’s web site ‘like a DDoS attack’
Triplegangers, a small company specializing in 3D image files, faced disruption when OpenAI's bot significantly overloaded their ecommerce site, akin to a DDoS attack. The bot attempted to download the company's extensive database of images, leading to site crashes and anticipated high server costs. This incident highlights the importance of properly configuring robot.txt files to block unwanted bots and the challenges small businesses face in protecting their data against AI scrapers.
System Design Newsletter·1yThe System Design Newsletter
The post explains the concept of JSON Web Tokens (JWT) and their structure, as well as their role in user authentication and authorization. It highlights the advantages of using JWT in distributed systems for scalability and ease of managing user sessions across servers. The post also addresses potential security risks associated with JWT and offers tips for mitigating these risks.
Programmers are also human·1yInterview with Vibe Coder in 2025
Discussion covers the development and performance of an Uber simulator, database and web security, optimization techniques, and various app functionalities. Emphasizes a light-hearted approach to troubleshooting and iterative development, reflecting on modern app trends and developer challenges.
Astro·51wAstro 5.9
Astro 5.9 introduces experimental Content Security Policy support using hash-based approach that works across static sites, serverless, and SPAs. The release adds renderMarkdown helper for content loaders, allows disabling default styles in responsive images for better Tailwind 4 compatibility, and enables adapters to suppress feature support logs. The CSP implementation generates meta elements with hashes for all scripts and styles, providing XSS protection without requiring server-side nonce generation.
Laravel Dev·47wWhy Laravel Developers Need to Think Like Hackers
Laravel provides excellent security defaults like CSRF protection and input validation, but developers often break the security model through poor implementation. Hackers exploit assumptions by testing unexpected inputs, bypassing validation, and accessing hidden routes. To build truly secure applications, developers need to adopt a hacker mindset: assume the worst, test edge cases, audit trust boundaries, and validate data at multiple layers. The article demonstrates this with a file upload vulnerability example where a PHP file disguised as JPG bypassed validation and granted shell access.
Lobsters·31wElement: setHTML() method - Web APIs
The setHTML() method is an experimental Web API that provides XSS-safe HTML parsing and sanitization. It parses HTML strings, removes unsafe elements and attributes (like script tags and onclick handlers), and inserts the sanitized content into the DOM. The method accepts optional sanitizer configurations but always strips XSS-unsafe entities regardless of configuration. It's designed as a secure alternative to innerHTML for handling untrusted HTML content.
Tech Lead Digest·49wThe Ultimate Guide to JWT Vulnerabilities and Attacks (with Exploitation Examples)
JWT vulnerabilities pose serious security risks in modern web applications. Common attacks include signature bypass, algorithm confusion (switching from RS256 to HS256), weak secret brute-forcing, and injection attacks through header parameters like 'kid' and 'jku'. The guide covers exploitation techniques for each vulnerability type, from trivial signature removal to sophisticated ECDSA psychic signature attacks. Key defense strategies include strict algorithm validation, secure key management, input sanitization, and proper signature verification implementation.
JustSteveKing·1yAdvanced Authorization methods in Laravel
Laravel offers robust authorization mechanisms through Gates and Policies, primarily using RBAC. However, for more granular control, ReBAC, ABAC, and PBAC models can be implemented to suit various use cases. ReBAC is useful for relationship-based checks, ABAC offers fine-tuned control through attributes, and PBAC combines attributes and relationship-based checks with high-level policy definitions. Choosing the right model depends on the complexity, performance, and scalability needs of your application.
David Bombal·24wFirefox Just Killed Browser Fingerprinting (2025)
Firefox 145 introduces enhanced anti-fingerprinting protections that reduce uniquely identifiable users from 65% to 20%. The new defenses block tracking through hardware details, fonts, processor cores, and screen dimensions. Initially available in private browsing and strict mode, these protections will eventually be enabled by default for all users. Fingerprinting allows websites to track users even when cookies are blocked by creating unique digital signatures from browser and device characteristics.
Security Boulevard·1yAuthentication and Single Sign-On: Essential Technical Foundations
Authentication and Single Sign-On (SSO) are crucial for modern web security. Implementing these effectively requires understanding essential technologies and security concepts such as HTTP, cookies, session management, database security, XSS, CSRF, and CORS. By grasping the technical foundations and best practices in these areas, developers can create secure authentication systems. Key practices include using secure cookies, preventing SQL injection and XSS attacks, managing sessions properly, and configuring CORS correctly. Comprehensive security involves layered approaches, including strong password policies and regular security audits.
Claudette·41wHack Smarter, Not Harder: Sitadel Revolutionizes Web App Security
Sitadel is an updated version of WAScan, a web application security scanner compatible with Python 3.4+. It offers enhanced flexibility for writing custom modules, includes interface framework detection, CDN detection, configurable risk levels, an add-on system, and Docker support for easy deployment.
Cloudflare·40wAnnouncing the Cloudflare Browser Developer Program
Cloudflare launches a Browser Developer Program to collaborate with browser development teams on improving compatibility between browsers and Cloudflare's security systems like Challenges and Turnstile. The program offers direct communication channels, best practices, early access to updates, and testing integration. It aims to balance security needs with supporting the diverse browser ecosystem, from mainstream browsers to privacy-focused, embedded, and specialized browsers that collectively represent a significant portion of web traffic.
Chrome Developers·49wHTML spec change: escaping < and > in attributes
The HTML specification was updated to escape < and > characters in attributes when serializing DOM to HTML strings, helping prevent mutation XSS vulnerabilities. This change affects innerHTML, outerHTML, and getHTML() methods but doesn't impact HTML parsing or DOM APIs like getAttribute(). The update is rolling out in Chrome 138, Firefox 140, and Safari 26, potentially breaking code that relies on innerHTML/outerHTML for attribute extraction and end-to-end tests expecting unescaped characters.
InfoSec Write-ups·37wHow to Prevent CSRF Attacks in Your Applications
Explores three major CSRF attack prevention strategies with practical demonstrations: SameSite cookie attributes that control cross-site cookie transmission, synchronizer token patterns that validate server-generated tokens, and double submit patterns that compare tokens from cookies and forms. Each mitigation addresses different core issues - browsers automatically attaching credentials and servers being unable to distinguish request origins. Includes live code examples and explanations of why attackers cannot forge CSRF tokens due to Same-Origin Policy restrictions.
Theo - t3․gg·1yThe worst code I've ever seen
A developer shares an experience with encountering extremely bad JavaScript code that made them question their career. The post details the various issues in the code, including security vulnerabilities, improper SQL handling, and overall poor coding practices. It also covers a journey of tracing the code's origins, transformations, and how it ended up as a viral meme. The post emphasizes the importance of secure and efficient coding techniques.
Backend Developer·1yDatabase less OTP- A concept
The post explains how an OTP system typically works and proposes a concept for a database-less OTP system using hashing and JSON Web Tokens (JWT) to reduce costs. It suggests creating a raw OTP sent to the user and a corresponding hashed OTP shared with the user's browser. This approach can prevent database dependency while maintaining security. A demo and GitHub repositories for the backend and frontend implementations are provided.
Hacker News·37wNative ACME Support Comes to NGINX
NGINX now includes native ACME protocol support through the ngx_http_acme module, enabling automatic SSL certificate management from Let's Encrypt without third-party tools. This built-in functionality, implemented in memory-safe Rust, joins other web servers like Traefik, Caddy, and Apache in providing seamless certificate automation, reducing operational overhead for developers and system administrators.
Faun·45wHow to Implement Robust WAF Protection for Web Applications: Block SQL Injection, XSS, and DDoS Attacks
A comprehensive guide to implementing AWS WAF protection for web applications, covering deployment of a vulnerable test application (DVWA) on EC2, CloudFront distribution setup, and WAF configuration with managed rules for SQL injection and XSS protection. Includes custom rate limiting rules, S3 logging setup, and practical testing methods to verify protection against common web attacks.
John Hammond·1yFinding Web App Vulnerabilities with AI
Discover how Burp Suite's new AI features can help find web application vulnerabilities more effectively. The video demonstrates setting up and using Burp AI, a tool integrated into Burp Suite Professional, within a Kali Linux environment. By leveraging AI, the tool can automate and enhance various security testing tasks, significantly aiding in penetration testing efforts. Key capabilities include scanning for vulnerabilities, reducing false positives, and providing intelligent automation to supplement manual testing efforts.
freeCodeCamp·48wHow to Choose a Web Application Firewall for Web Security
Web Application Firewalls (WAFs) act as specialized security layers that filter malicious traffic targeting web applications, protecting against SQL injection, XSS attacks, and bot traffic. Five major WAF solutions are compared: Cloudflare offers easy deployment with free tier options, Imperva provides enterprise-grade features with compliance support, SafeLine delivers self-hosted control with semantic detection, Fortinet FortiWeb integrates with existing security ecosystems, and F5 Advanced WAF offers comprehensive protection for complex multi-cloud environments. The choice depends on factors like technical expertise, budget, compliance requirements, and existing infrastructure.