7 Security Risks and Hacking Stories for Web Developers

Рет қаралды 515,213

Күн бұрын

Top 7 security concepts 🛡️ and hacking stories 🎭 that every JavaScript developer should know about. Master these concepts in the Enterprise Security course: bit.ly/2wrUqAB (use FIRESHIP50 at checkout).
Full Security Article fireship.io/lessons/7-securit...
OWASP Top 10 owasp.org/www-project-top-ten/
Concepts:
1. Zero-day 0:47
2. Vulnerable packages 1:22
3. XSS 2:24
4. SQL Injection 3:42
5. Credential Leaks 4:48
6. Principle of Least Privilege 6:11
7. DDoS 7:43
#security #web #javascript
My VS Code Theme
- Atom One Dark
- vscode-icons
- Fira Code Font

Пікірлер: 301

@TheBadFred 4 жыл бұрын

As soon as you rely on someones else's code you most likely get vulnerabilities. The only way around that is to write everything yourself in Assembler, then you will have only your own vulnerabilities.

@Fireship 4 жыл бұрын

You can use other people's bugs, or create your own from scratch.

@TheBadFred 4 жыл бұрын

@@Fireship Even if you create completely vulnerability free code there are still hardware vulnerabilities like Meltdown and Spectre.

@luizvaz 4 жыл бұрын

Until your code meet someone that knows ASM and debug your code. Rewrite your masterpiece and deploy a patch!

@McDonnerbogen 4 жыл бұрын

You better start writing your assembly code or you will never get done ;)

@rockstarrrgaming335 4 жыл бұрын

@@TheBadFred that's why i like to build my pc from ground up by soldering individual transistors

@qwertyuiop-cy5en 4 жыл бұрын

(grabs bug spray) (sprays all over cpu)

@techyleviathan2054 4 жыл бұрын

hahaha

@StrangeIndeed 3 жыл бұрын

hahaha

@jordanski5421 3 жыл бұрын

Frick

@alfie0 3 жыл бұрын

lol

@lamichhane 2 жыл бұрын

I don't know how I laughed at this...

@ian.c 3 жыл бұрын

English is not my first language but I can understand every single word from this guy even he speaks very fast. 💯 👍 Appreciate your videos!

@lucasgazzola 2 жыл бұрын

Totally agree

@AZisk 4 жыл бұрын

The best security videos are scary - nice work on this one! For those folks dealing with mobile apps, whether built with JavaScript or not, there are a bunch of other security considerations to keep an eye on. The point is that you're never truly safe. As long as you have something valuable that could be hacked, someone out there will keep trying. You have to dedicate the time and resource to always stay on top of your security, it's not a set-it-and-forget-it thing.

@jannotabamo4002 4 жыл бұрын

Seeing my favorite youtuber for nativescript tutorials commenting here, proves that this channel provides a good content!

@AZisk 4 жыл бұрын

Janno Tabamo that’s so awesome! I’m glad you left that comment. Yes, this channel is pretty great - videos are top notch; great production and value.

@shivamvora2285 3 жыл бұрын

kzbin.info/www/bejne/pIGml3-Vm9qIoZY looks like linkedin clone with firebase as well easy explanation with github repo

@887310954 2 жыл бұрын

as a security researchet i can validate that we need a ton of awareness to impart to our devs. I've seen some of the scariest vulnerable code making it to production.

@BattyBest Жыл бұрын

The actual way to protect from ddos attacks is by blocking requests from ips that constantly send a bunch of requests, and then ask them to do a human verificiation. Scaling gets reeeeeeealy costly.

@arnoldas9730 Жыл бұрын

So if you block ip, how would your server respond with human verification?

@BattyBest Жыл бұрын

@@arnoldas9730 Blocking an IP is a server-side operation, and can be reverted immediately. What I am talking about is this: - Attacker sends a lot of requests - Server notices, and sends a verification - Verification is not received, any more packets from that ip are blocked - Another IP, this one not an attacker, sends a lot of requests - Server notices, and sends a verification - The new IP responds with verification - Server allows higher than normal requests temporarily - If this IP continually sends a large amount of packets, it may be throttled.

@HuyTran-wv3tz 11 ай бұрын

that is the basic way to solve dos, NOT ddos

@I_killed_that_beard_guy 8 ай бұрын

@@HuyTran-wv3tzcaptcha for everyone then

@g-luu 4 жыл бұрын

yesss...... longer videos. Great job as always.

@osmantoplica8912 2 жыл бұрын

Last tip could be a very very expensive one. Don't "fix" DDOS by scaling 😄

@OmerMD Жыл бұрын

Can you explain the reasoning for it?

@WACdeG Жыл бұрын

@@OmerMD That could lead to enormous costs.

@madhououinkyoma Жыл бұрын

Yeah, he definitely didn't quite go into it. But I guess the main point there was that scaling can be the needed solution if your service just cannot go down. You can set an upper bound on how high your services will scale. And of course, you should do other things as well and not just rely on scaling.

@guillemgarcia3630 4 жыл бұрын

concise and precise, I loved it!

@syntaxerorr 4 жыл бұрын

lol oh that hangover clip was perfect!

@andrij.demianczuk Жыл бұрын

This is amazing. Thank you for putting this together. Vulnerabilities are endemic to orgs that rush production. My heart always hurts when I hear folks complaining about IAM roles and policies (regardless of hyper scaler). They’re just so darn important to good cloud hygiene.

@thantyarzarhein5459 4 жыл бұрын

This channel deserves more subscribers and views

@onibenjo 4 жыл бұрын

I feel like awarding it a million likes

@rishabhsovani9427 4 жыл бұрын

Loved it please make more videos of secure coding and setting up secure development environment

@viharcontractor1679 4 жыл бұрын

Hey Jeff, This was a real delight to watch! I hope you do more videos like this which are related to general IT, every once in a while. I really love your editing style, Its quick but never misses out on important information!

@paulezekiel-hart733 8 ай бұрын

I can spend hours watching your videos, they are so informative, i love the fact that they are short and swift, it's the best way to keep up with the ever so growing tech trends

@LukePeters Жыл бұрын

Thanks for this! Planning a security review/upgrade for a web application and this video gave me a list of actionable ideas and steps to take.

@markarca6360 4 жыл бұрын

The principle of least privilege is implemented in Microsoft Windows' UAC (User Account Control), that is included in Windows since Windows Vista. This is also implemented in UNIX and Linux as the sudo (do as superuser) command.

@aleksandarstevanovic5854 4 жыл бұрын

Kevin Mitnick wrote in his book "Security is an illusion, you will put alarm on a door and feel safe, but what if burglar use window?". Modern frameworks are mostly safe against old methods od exploit unless you overengineer something, but they are not perfect, along the way they made anorher vulnerabilities which we will be talking about in the future

@IoTLearner 4 жыл бұрын

Quality content as always!

@iamshoaibkhalil 2 жыл бұрын

I'm in love with your videos...keep the good work up

@raihan.nismara 2 жыл бұрын

every content you created worth it to watch!

@ivantarnyagin9731 3 жыл бұрын

That intro animation was SMOOOTTTHHH

@ajalanbrown2200 Жыл бұрын

As a dev we just create security is never really thought of but this is a huge eye opener

@xanthirudha 4 жыл бұрын

Are you self-taught ? How did you get to this level? run `npm thanks` to see which open source projects are underfunded that you are using

@Fireship 4 жыл бұрын

Yep, I would say self-taught or on-the-job learning over the last 10 years. I has not been a quick or easy journey.

@xanthirudha 4 жыл бұрын

@@Fireship Thanks , you are the only YTr that inspires me to think of becoming a creator. This video is particularly well done, its like nerdwriter for code. I think it's inspiring me to think of how to help open source with security services. So essentially free doesn't mean safe

@henriherrera9744 4 жыл бұрын

@@Fireship Yeah tell me about it, i'm on that road right now. New Subscriber. I imagine that 10 years ago it was a lot more difficult. I have the added difficulty of being born in Venezuela though :P

@omaralexandro2928 4 жыл бұрын

Awesome video! Thanks!

@jerry9548 2 жыл бұрын

I think the most secure why is to source your own Silicon, make your own CPU, create your own OS and write your own programs on it. +1 for Security if the language is unknown and you are the only person alive knowing about it :D

@luvplato Жыл бұрын

😂😂😂

@emmanueladelanwa5341 10 ай бұрын

😅😅😂

@yogi5590 4 жыл бұрын

love your videos, keep it up

@ediancomachio2783 4 жыл бұрын

Best content on KZbin

@imsarvesh_ 4 жыл бұрын

Its treat to watch your videos.

@wouterdeen Жыл бұрын

I would really like an up-to-date video on this, especially with the ongoing cyber warfares and stuff

@imsarvesh_ 4 жыл бұрын

It’s pleasure to watch your videos.

@matanshtepel1230 3 жыл бұрын

loving ur vids 🤩

@deanvangreunen6457 4 жыл бұрын

best sponsor intro ever

@Faddablack 4 жыл бұрын

Very informative.

@arsenii9329 4 жыл бұрын

Awesome video! Thanks

@firaskudsy 4 жыл бұрын

Yesss .. finally new video

@shivamvora2285 3 жыл бұрын

kzbin.info/www/bejne/pIGml3-Vm9qIoZY looks like linkedin clone with firebase as well easy explanation with github repo

@svenvancrombrugge9073 3 жыл бұрын

The CIA part came a little short. You do a great job compressing so much knowledge in these short videos. In some cases a shortcut might be falsy though. You're not done with integrity because an intruder can't just manipulate data. You also must know if a manipulation took place in case of an breach otherwise the first point is... pointless.

@uhateulame9092 Жыл бұрын

it's an introduction to the subject, not a course.

@loading0004 4 жыл бұрын

nice aways waiting for videos from your channel

@maximilliantimofte4797 Жыл бұрын

problems and solutions EXCELENT

@AshishShekar 4 жыл бұрын

The guy on the thumbnail says 5 risks

@UnknownUser-ud1es 3 жыл бұрын

For those of you interested I would suggest a book: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them It really changed how I code my programs and software be it client side or server side.

@ToeShimmel 4 жыл бұрын

Next to using an ORM, using prepared statements against SQL injection should be just as safe, correct?

@zcharyma1465 4 жыл бұрын

376 likes 0 hate, you are a legend.

@TheEpicFace007 4 жыл бұрын

Is there any tips for hiding the API key when I use a API on a program I’m sharing with others. I’m on a forum where we share script and I sometime share my scripts. So how can I hide the API key I use? I know obfuscation can’t work as the obfuscation can get constant dumped.

@joshhardy5646 3 жыл бұрын

Pro tip: never use API keys as authentication. That’s not their intended purpose. They are inherently unsafe.

@armandodelrio3306 2 жыл бұрын

this is the best channel

@dawid_dahl 3 жыл бұрын

Wow, that was nice of AWS! (Long time since I heard something nice about a huge company like that, so thanks. Haha)

@sudolake3345 3 жыл бұрын

They usually refund those things, not everytime though

@Kaiju3301 3 жыл бұрын

The guy who ok’d the refund probably got fired.

@kerodfresenbetgebremedhin1881 3 жыл бұрын

Don't antropromorphise companies, they can neither be good or bad.

@1J03B 10 ай бұрын

4:40 might want to mention parameterized queries specifically

@valikonen 4 жыл бұрын

What do you think about NodeJS will have real chances in future to be used on the enterprise applications? And what about Java, it seems to loose popularity year after year. What backend language do you think it's worth to lear? Thanks for you awesome contribution!

@okie9025 4 жыл бұрын

NodeJS is already used by corporations like KZbin, Google, Facebook, Instagram, etc.

@mico3454 9 ай бұрын

Man I wish you were my mentor.

@logiconabstractions6596 Жыл бұрын

About lest priviledge: A few years ago, a bank in Canada (Desjardins) had a huge data leak of 100s of 1000s of their customers, some guy that tried to pawn of all that data into the dark web. Turns out the guy was from marketing, pissed about his job and for some reason had access to whole bunch of things he really didn't need to if all he needed to do in life was like know what % of customers both have a mortgage and car loan with them.

@valentynkhaman7688 4 жыл бұрын

Good video!

@blackwolf542 3 жыл бұрын

It's the predator/prey thing. The prey evolves to better avoid the hunter and survive, the predator evolves to better hunt it's prey and the cycle continues. Being aware of bugs and vulnerabilities and constantly evolving to identify and patch them is the only real way to keep it as secure as possible, it is a constant evolution as hackers are always evolving themselves.

@rockettpc2 2 жыл бұрын

Hahaha this episode had me rolling! Whoopsies!

@aravind.a 4 жыл бұрын

Awesome collection 👍

@hariharan-wt6qk 3 жыл бұрын

Hai bro, are u form TN

@aravind.a 3 жыл бұрын

@@hariharan-wt6qk Yes, I am

@hariharan-wt6qk 3 жыл бұрын

Naanum Tamil Nadu tha anna

@aravind.a 3 жыл бұрын

@@hariharan-wt6qk Ok Thambi..

@hariharan-wt6qk 3 жыл бұрын

@@aravind.a Na college first year padekuren Neeinga developer ah anna

@suki5593 4 жыл бұрын

👍 Thumbs up for making good videos

@tdrkone Жыл бұрын

your website is awesome

@ashobiz 2 жыл бұрын

Is there any way to prevent employee from using good old pen and paper to copy the sensitive info? Just asking.

@melvar1309 2 жыл бұрын

I had the exact same thing happen to me with AWS.

@eshaan7_ 4 жыл бұрын

I was just learning Dijkstra's algorithm for shortest path in graph and KZbin recommended me this....that's spooky.

@Fireship 4 жыл бұрын

Weird, I never mentioned him by name. The algorithm just knows.

@eshaan7_ 4 жыл бұрын

Yeah. 😂 Thanks for the amazing videos, always! I absolutely love your content and the quality of images/animations. Much appreciated.

@AntiWanted 3 жыл бұрын

Nice Job

@wilhelmdell4899 2 жыл бұрын

6:57 that usb animation tho XD

@B1TCH35K1LL3R 4 жыл бұрын

Dude the AWS stuff happened to me about 2 years ago. Now that I know you also made that mistake, I feel a lot less miserable haha

@BlazeBubble 4 жыл бұрын

I accidentally leaked a Twilio key a few months ago, it cost us $5000 in one day :( But yeah it's good to hear that other people do it, makes me feel a lot less bad about myself.

@B1TCH35K1LL3R 4 жыл бұрын

@@BlazeBubble It is part of the learning process. and btw amazing gesture from the companies to actually notify you and then forgive you for these kind of mistakes (happened to me at least)

@BlazeBubble 4 жыл бұрын

@@B1TCH35K1LL3R Yes thank god I was able to keep the job, they understood it was an accident and even the best of developers do mistakes.

@Aditya-wj5gy Жыл бұрын

Nice vedio, what about XSRF?

@xReTuneSx 4 жыл бұрын

That was very Deep. I understood only 20% :D

@shivamvora2285 3 жыл бұрын

kzbin.info/www/bejne/pIGml3-Vm9qIoZY looks like linkedin clone with firebase as well easy explanation with github repo

@CodeWithAndrea 4 жыл бұрын

Another top notch video! Thanks!

@AndreiIR000 3 жыл бұрын

Senior Security Engineer here. 04:42 ORMs are not a fool-proof solution against SQLi. 2nd degree SQLi can still occur.

@user-lj4lo7cx7m Жыл бұрын

Andrei IR, Can you please explain me?

@aahmed1259 3 жыл бұрын

8:59 Can someone do obviously unethical and illegal your file case because this time is a lot of company allowed they’re employees work form home and you don’t know what they do your case or your file ? Because You are requesting family emergency ? Any idea

@indiansoftwareengineer4899 3 жыл бұрын

Laws are becoming very strict you said, Facebook laughing in corner.... LOL... Power..... Thanks for these videos...

@markopolo2224 Жыл бұрын

amazing video

@sahilaujla 2 жыл бұрын

Yeah Facebook went down for 8 hours a couple months ago. Anyone remember that?

@MercyFromOverwatch2 2 жыл бұрын

Jeff is my favourite tech KZbinr

@galewallblanco8184 2 жыл бұрын

You sound so much more energetic and young in this video Jeff

@rrobiow8309 4 жыл бұрын

wish I could take the course :(. student life is hard sometimes

@DevAcademyCom 4 жыл бұрын

What is stopping you?

@emanuelfarauanu1760 4 жыл бұрын

@@DevAcademyCom Most likely the cost of the course itself, even with the discount code it's over 400 USD, that's the amount of money equivalent to two months worth of living costs for a student like me.

@DevAcademyCom 4 жыл бұрын

@@emanuelfarauanu1760 Why over 400 USD? With the discount, it should be 350 USD. Did they apply some taxes?

@emanuelfarauanu1760 4 жыл бұрын

@@DevAcademyCom Yes, UK Taxes

@DevAcademyCom 4 жыл бұрын

@@emanuelfarauanu1760 If you provide a valid VAT ID, the tax will not be added.

@sudoalex Жыл бұрын

Your voice changed. I remember seeing this video when it was released and now KZbin recommended it again

@b4ttlemast0r Жыл бұрын

if an app requires an api key to communicate with some api, how do you even ship that app without risking to expose the api key?

@sagnikpradhan3594 4 жыл бұрын

DDOS Attack looks very interesting, how do they prevent it if they dont have the compute power?

@NoorquackerInd 4 жыл бұрын

Google Cloud Armor and Cloudflare both serve as good protection against DDoS attacks, but also making your own web applications detect DDoS attacks and automatically deny is a (not that) decent way of protection as it'll at least reduce time spent processing requests since they're just rejected. Sure, it's not a 100% foolproof method, but you could cut the cost of the attack way down with this

@kas-lw7xz 2 жыл бұрын

@@NoorquackerInd at the moment it hits the software layer, it's already too late

@notanonymous3976 Жыл бұрын

@@kas-lw7xz what does this mean?

@rikipebrianto560 4 жыл бұрын

i like vulner😍

@derickndossy Жыл бұрын

Hmm interesting😮

@kamikaze9822 3 жыл бұрын

Samy stored xss in my mind hahah

@mathisdesousa Жыл бұрын

8:50 what's the music please

@helikopterelidojosa5479 3 жыл бұрын

More please

@MrBledi 4 жыл бұрын

5:17 this cracked me up hhahahahhahah

@cotneit 3 жыл бұрын

Well, you're right and all, but... Samy IS my hero.

@guydude82 2 жыл бұрын

At 5:12 ish, can someone explain to me why setting the API key as an environment variable is safer than hardcoding it? Wouldn't the environment variable also get published on GitHub?

@hamzajps 2 жыл бұрын

env files are usually put in .gitignore file, hence they are not pushed to remote origin like github. They just remains on your local machine

@JarenKurkoff Жыл бұрын

Well, unless you specifically write a script to dump all of your environment variables *before* pushing to a Git repository, then its because environment variables are stored within your *shell*, not your project, so something like Bash, sh, ksh, csh, and many other UNIX shells.

@madhououinkyoma Жыл бұрын

Environment variables stay on your local computer/server. There is no "file" to be published on Github so that's usually a safe place for information like this.

@AbdulSamadDev 3 жыл бұрын

And now the "The SolarWinds hack" 🤯

@WACdeG Жыл бұрын

What is the outro song?

@paupertim5819 Жыл бұрын

AWS only gave me a partial refunded of the extra ec2 charges when someone got a hold of my password that I found out was compromised in an Adobe Breach years ago. I didn't get hacked, I didn't lose the security of my aws key, but only got a partial refund :(