Posts on Shivasurya

CVE-2026-33186: Bypassing gRPC-Go Authorization with a Missing Slash

Wed, 01 Apr 2026 00:00:00 +0000

2025 Wrapped

Sat, 20 Dec 2025 00:00:00 +0000

2025 Wrapped

Published 📰
- Sourcegraph Blog: Lessons from building Sherlock: Automating security code reviews with Sourcegraph
  - Built AI security agent around 2024 and wrote a blog post about it.
- Tried out Multi-Turn Reinforcement Learning for security vulnerability analysis using verifier framework.
  - Turns out it’s amazing and has lot of stuffs to explore and learn.
Shipped 🚀
- Secureflow AI, Autonoumous AI Agent for security vulnerability analysis
  - Published blog post on codepathfinder.dev
  - And it’s clear that NO ONE HAS MOAT, If any AI security vendor company shows flashy demo “How our AI Security engineer can do this & that”, remember, you can replicate the same by calling OpenAI, Claude API, or any other AI platform providers.
    - This includes AI SAST, AI Vulnerability detection, AI Appsec, AI Threat modeling, AI Penetration testing, AI Security Orchestration.
    - All you need is good level of context engineering, memory, workflow setup, AI API calls.
- Code-Pathfinder, AI-Native static code analysis now has Python, Docker, Docker Compose support and open-sourced under AGPLv3 license
- Some Milestones & Metrics 📊
  - Code-Pathfinder & Secureflow AI
    - 307 Monthly Active Users
    - 64 Weekly Active Users
    - Started from zero half way through 2025 and grateful to achieve this number.
    - Excited to see the growth in 2026
Read 6 books 📚

Some thoughts around Django SQL Injection CVE-2025-64459

Fri, 07 Nov 2025 00:00:00 +0000

Vulnerability Overview

Yesterday I came across this CVE-2025-64459 and I was bit skeptical about the severity of the issue as it was marked as critical. So I decided to do a deep dive into the issue and see if it was a real issue or not. Turns out it was a real issue only if you’re meeting the following conditions:

You’re using Django Affected versions
- >= 5.2a1, < 5.2.8
- >= 5.0a1, < 5.1.14
- < 4.2.26
Source: request.GET or request.POST dict

Claude Code for Security Analysis: Introducing SecureFlow CLI to Hunt Security Vulnerabilities

Fri, 03 Oct 2025 00:00:00 +0000

AI-Powered Security Vulnerability Hunting at Scale

SecureFlow CLI is an open-source agentic SAST security tool that uses AI-powered loops to autonomously hunt for vulnerabilities in codebases. Built on the same principles as Cline/Cursor/Windsurf/Claude-Code for Security Analysis, it leverages LLMs and tools to navigate code, gather context, and identify security issues.

Example: WordPress Plugin Scanning Results

The WordPress plugin ecosystem is often overlooked for security scanning despite serving millions of users. Scanning 600+ WordPress plugins with SecureFlow yielded impressive results:

Exploring fun parts of Neural Network

Fri, 08 Aug 2025 00:00:00 +0000

Back in 2017, I used to tease my friend about his machine learning work (training models, dataset operations, ML deployments) - “Come on, admit it, aren’t you just writing complex if-elif-else statements and calling yourself an ML engineer?”. While Google was bringing ML models to mobile devices using tensorflow, I remained indifferent as I couldn’t grasp the underlying mathematics or internal workings (which, honestly, continues to this day).

{:height=“400px”}

My perspective shifted after diving deep into projects like Sherlock, LLM-Powered Security Reviews, and SecureFlow AI. After studying numerous research papers about using language models to detect code vulnerabilities, I felt compelled to return to the basics and understand the fundamental workings of neural networks, particularly how they store information in their hidden layers.

Rethinking MCP or Tool Calling Through Permission Based System

Sat, 19 Jul 2025 00:00:00 +0000

Model Context Protocol (MCP) and Tool Calling are revolutionizing the application layer of Large Language Models (LLMs), enabling AI to autonomously operate tools and MCP servers to complete tasks. While these capabilities are typically distributed as npm packages or hosted remotely, this distribution method poses potential security risks through malicious code.

Despite these concerns, Tool Calling and MCP add significant value to AI applications. For instance, Windsurf IDE demonstrates excellent integration by leveraging various tools for file operations, diff viewing, and command execution. Users can configure their own MCP packages and servers, allowing models to control these tools effectively.

Static Analysis Isn't Enough: Understanding Library Interactions for Effective Data Flow Tracking

Thu, 17 Apr 2025 00:00:00 +0000

Originally published on the Code-Pathfinder Blog.

Lessons from Building Sherlock: Automating Security Code Reviews with Sourcegraph

Thu, 10 Apr 2025 00:00:00 +0000

Originally published on the Sourcegraph Blog.

LLM-Powered Security Reviews: Insights and Challenges

Wed, 19 Mar 2025 00:00:00 +0000

Introduction

In a previous post on the Sherlock blog, I discussed leveraging large language models (LLMs) to assist with security code reviews. There’s no doubt that LLMs outperform traditional static application security testing (SAST) tools in several ways, enhancing the security review process by:

Reducing false positive rates
Increasing the accuracy of findings
Uncovering previously unidentified edge cases

When used in conjunction with SAST tools, LLMs can significantly boost the effectiveness of security reviews.

How I Use AI to Streamline/Assist My Work

Tue, 28 Jan 2025 00:00:00 +0000

Intro

While there’s a lot of skepticism about using AI to automate tasks, I’ve found AI tools to be invaluable allies that enhance my results and handle niche tasks.

🤖 Reflecting on My LLM Usage

I used to pay for OpenAI & Anthropic Claude API access and regularly automated several tasks until recently when DeepSeek-v3 was released, cutting costs by at least 50% while maintaining the same response quality. Here are a few tasks I found useful after attempting more than 30+ workflows to incorporate and derive value.

2024 Wrapped

Thu, 26 Dec 2024 00:00:00 +0000

2024 Wrapped

Read 12 books
Built Code-Pathfinder, Open-source alternative to GitHub CodeQL
- Received positive interest and interaction from various people working for Microsoft, GitHub, Elastic and TrailofBits
- Mind-blown to see people reaching out regarding the project :)
Welcomed our beautiful baby girl into the world! 👸
- Grateful to Grand River Hospital staff & volunteers for the exceptional care and support. 🫡 to Canada’s Healthcare
Read and built security vulnerability classifier based on Building a Large Language Model from Scratch
494 days streak on Duolingo learning french 🇫🇷

And that’s a wrap!

Books I read in 2024

Thu, 19 Dec 2024 00:00:00 +0000

Books

If you’re looking for a great device to read books, highlight important sections, and take notes, the Kindle Scribe is a fantastic option. It’s especially handy for times like waiting at the airport/hospital, traveling by flight/train.

Pro tip: You can always send pdf/epub to kindle and read it on kindle.

Security & Programming

Non-Fiction

Personal Finance

CodeQL: Eindhoven Quantifier Notation

Tue, 10 Sep 2024 00:00:00 +0000

Introduction

Recently, I have been thinking about aggregate functionality design for Code PathFinder, opensource alternative to GitHub CodeQL. SQL aggregate functions such as SUM, AVG, MIN, MAX are combined with WHERE and GROUP BY to generate aggregate queries. However, I was wondering if there is a way to generate aggregate queries without using WHERE and GROUP BY. While going through CodeQL design research paper, I came across Eindhoven Quantifier Notation which is quite interesting, easy to understand and can be used to generate aggregate queries. This blog post will discuss about Eindhoven Quantifier Notation adopted by CodeQL.

Sherlock: Automate security code reviews with Cody AI

Thu, 27 Jun 2024 00:00:00 +0000

Intro

Need for semi-autonomous security code reviews

My job as a security engineer (application security context) is to read source code and perform security reviews. Most of the time, mainly corelate the source code with frameworks & libraries, understand context where the code executes and enumerate all security risks. While there are lot of second generation SAST scanning tools in the market which is good at identifying patterns, eliminate false positive, executes and brings up results in minutes. I believe,

Defining Boundaries & Sinks for Inter-procedural Source Sink Analysis - Part 3

Fri, 08 Mar 2024 00:00:00 +0000

This is the third part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, I’ll discuss about defining boundaries, configs and sinks for inter-procedural analysis. ✨ This idea of defining boundaries and sinks is inspired from the CodeQL library and while discussing with my colleague at SWAG lab @ uwaterloo.

Plan

While tools like CodeQL has well-defined support for libraries and framework such as Android CodeQL these libraries has predefined boundaries and sinks. But, start from scratch, we need to define our own boundaries and sinks. The boundaries are the entry points and sinks are the exit points.

Deep dive on Android Java / Kotlin Deserialization Code Execution with Semgrep Detection

Wed, 24 Jan 2024 00:00:00 +0000

Overview

In this post, we will explore code execution using Java & Kotlin Deserialization in Android Application. Additionally, We will discuss the Gadget Chain, Detection and Exploitation technique specific to Android. Achieving code execution in server side application via Java deserialization has higher chance of success than in client side android application. This is due to limitation of variety of loaded classes in android application. For instance com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is available in openJDK but not in Android JDK (but with modification). These limitation can be a blocker for loading arbitrary classes and executing payload (mostly compiled bytecode) in Android application. Well there are lot of deserialization vulnerabilities is published out there such as

2023 Wrap - Year in Review

Wed, 27 Dec 2023 00:00:00 +0000

2023: A Year of Unexpected Adventures and Rich Insights. Here’s a glimpse into my journey and the accomplishments, lessons I’ve gathered along the way. Well this blog doesn’t feature lot of stuff, but I’m trying to keep it simple.

Trimming Down: Weight Loss Journey 🏋️

“Psychology for Money shapes your wealth; Noom shapes your health.”

It’s been an inspiring weight loss journey with Noom, shedding 11 lbs since October 2023. My employer’s Step Challenge played a significant role. I appreciate Noom’s rewarding content and insights into eating psychology. The subscription and personal accountability guidance are truly valuable.

Building Inter-procedural Source Sink Analysis from Scratch - Part 2

Fri, 01 Sep 2023 00:00:00 +0000

This is the second part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the intra-procedural source sink analysis. In this blog post, we will be building the inter-procedural source sink analysis.

Plan

We’ll be parsing whole java project source code and generate AST using JavaParser. While traversing the AST, we will be collecting the method declaration and method invocation. We will be using graph theory algorithm to find the path from source to sink. The source is the method declaration and the sink is the method invocation. The method declaration is the node and the method invocation is the edge. While classes may contain duplicate method names with different signatures, we will be using the fully qualified method name to uniquely identify the method. The fully qualified method name is the class name + method name + method arguments. The method arguments are used to differentiate the method overloading. The method declaration is the key and method invocation is the value in the hashmap. The hashmap is used to build the graph and find the path from source to sink.

Building A Simple Source-Sink Analysis in Java from Scratch - Part 1

Sun, 27 Aug 2023 00:00:00 +0000

Overview of Source Sink Analysis

Source Sink Analysis is a type of basic static analysis that detects the flow of information from a source to a sink. A source is a place where the information is coming from and a sink is a place where the information is going to. For example, a source can be a user input and a sink can be a database query. If the user input is not sanitized, it can lead to SQL Injection. Apart from source sink techniques, there are other techniques like taint analysis, control flow graph, data flow analysis, etc. which are used to detect vulnerabilities in the code. In this blog post, we will be building a simple source sink analysis in Java from scratch.

From ArcGIS to Mapbox: How Cody AI Made My Web App Shine

Sun, 02 Jul 2023 00:00:00 +0000

Imagine being a newcomer to Canada around 2019, relying on public transit to navigate the Waterloo region. Like many others, I found myself frustrated with the occasional unreliability of Google Maps when searching for public transit options. However, my luck changed when I stumbled upon a cool command line tool developed by a UWaterloo student that predicted the next bus or LRT arrival time within seconds. This discovery led me to GRT.ca, a website providing real-time transit feed updates, allowing me to track the exact location of buses and LRTs. Inspired by this newfound resource, I created a naive map using ArcGIS ESRI Maps, loading location information from the protobuf feed and deploying it on my domain, livemap.shivasurya.me. This map became my go-to tool for finding the precise location of the next bus or LRT.

Building A Simple OpenAI Powered Personal Assistant

Fri, 19 May 2023 00:00:00 +0000

In high school (~2012), I made a significant upgrade from my Nokia 1600 to an Android Jelly Bean device, API 16. I was fascinated by the apps available on the Play Store and became curious about creating my own. That’s when I discovered Adobe PhoneGap and ventured into HTML5 app development using jQuery Mobile. It was a thrilling and rewarding experience, culminating in the deployment of my first app on my Android device. This nostalgic period in high school marked my exploration into the world of app development and ignited a passion that I still carry with me today.

Heap Two Writeup - Exploit Education Lab Exercise

Sat, 06 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap One, Heap Two exercise motive is to leverage buffer overflow and perform UAF (User-After-Free Vulnerability) that technically allows to re-use the allocated memory in the heap to control the program flow. Similar to gets in Heap Zero, strdup function is unsafe that doesn’t have bounds check, it accepts memory address to copy but doesn’t care about overwriting other declared struct variable in the heap region.

Heap One Writeup - Exploit Education Lab Exercise

Fri, 05 May 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Heap Zero, Heap One exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite struct in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared struct variable in the heap region.

Heap Zero Writeup - Exploit Education Lab Exercise

Fri, 28 Apr 2023 00:00:00 +0000

If you haven’t set up your lab yet, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Heap Zero exercise motive is to smash the heap to modify other variables in the heap to a hex value and technically overwrite function pointer in the heap. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in heap.

Format Four Writeup - Exploit Education Lab Exercise

Fri, 21 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Three Writeup - Exploit Education Lab Exercise

Fri, 14 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format Two Writeup - Exploit Education Lab Exercise

Fri, 07 Apr 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Format One Writeup - Exploit Education Lab Exercise

Fri, 31 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

CVE-2023-23397 - Zero Click Net-NTLMv2 Credential Hash Leak on Outlook Client

Sat, 25 Mar 2023 00:00:00 +0000

Quick Overview

Microsoft announced patch for CVE-2023-23397 which generally goes out usually on tuesday (Mar 14, 2023). This particular vulnerability caught my eyes due to the fact that I actively work on Active Directory based HackTheBox machines and this one is something similar to Android Application Exploits where attacker passes random url to activities or services and the outbound network connection often contains sensitive tokens attached to it.

IIRC, I reported a similar vulnerability in 2020 which completely leaks encrypted sandbox local files including e-mail, tasks in the ProtonMail Android Client reference However, it requires user interaction in the victim side of Android app.

HackTheBox Active Writeup - Active Directory - OSCP Practice

Fri, 17 Mar 2023 00:00:00 +0000

Quick Overview

Active is one of the easy Active Directory focused Windows Box from TJNull OSCP Practice list. It’s one of those easy machine where you get initial foothold via SMB Replication share leak & escalate privileges using Active Directory weakness.

Enumeration

NMapAutomator

Started with enumerating the target with NMapAutomator script since it helps in automating all possible ports with vulnerability scripts from nmap. Additionally, NmapAutomator can help in recon process using smbmap, ffuf, nikto, DNSRecon, SMB enumeration.

Format Zero Writeup - Exploit Education Lab Exercise

Fri, 10 Mar 2023 00:00:00 +0000

Previous Writeup:

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Stack Six Writeup - Exploit Education Lab Exercise

Sun, 26 Feb 2023 00:00:00 +0000

Previous Writeup:

If you’re learning and writing binary exploits, I would strongly recommend you to take Architecture 1001: x86-64 Assembly course by Xeno Kovah. They cover a wide variety of learning assembly instructions which will be really helpful to understand the exploits.

HackTheBox Jerry Writeup - OSCP Practice

Fri, 24 Feb 2023 00:00:00 +0000

Quick Overview

Jerry is one of the Windows Box from TJNull OSCP Practice list. It’s one of those quite easy machine where you get initial foothold & privilege escalation in a single hop.

Enumeration

NMapAutomator

HackTheBox OSCP Writeups - Shivasurya.me

Mon, 20 Feb 2023 00:00:00 +0000

Quick Overview

This blog post acts as Index of TJNull HackTheBox OSCP Practice list. I myself enjoyed solving all those HackTheBox VM and started writing writeups to help other folks out there striving hard to crack OSCP exam 🎮

Index

Closing Note:

I hope this post is helpful for folks preparing for Offensive Security Certified Professional certification exam. For bugs,hugs & discussion, DM in Twitter. Opinions are my own and not the views of my employer.

HackTheBox Bashed Writeup - OSCP Practice List

Tue, 14 Feb 2023 00:00:00 +0000

Quick Overview

Bashed Box is one of the Linux Box from TJNull OSCP Practice list. It’s one of those quite easy machine where you get initial foothold in one hop and privilege escalation in second hop.

Enumeration

NMapAutomator

Detecting Android WebView Vulnerable Configurations with Semgrep Rules - Part 1

Fri, 10 Feb 2023 00:00:00 +0000

Android WebView widget provides APIs that help developers seamlessly integrate webpage contents within Android application. Advancement in Webview & Chrome Custom Tabs lead to exponential growth in webview based mobile development platforms such as Ionic framework, JQuery Mobile, Adobe Phonegap later open-sourced as Cordova Project, React Native. However the race to capture the mobile development market, immature WebView APIs and lack of security guidance lead to multiple vulnerabilities and exploits. In today’s blog post, we’ll deep dive into multiple WebView vulnerability configurations and leverage semgrep to detect those configuration real time.

Stack Five Writeup (Code Execution) - Exploit Education Lab Exercise

Sat, 04 Feb 2023 00:00:00 +0000

Previous Writeup:

Stack Four Writeup - Exploit Education Lab Exercise

Sat, 28 Jan 2023 00:00:00 +0000

Previous Writeup:

Stack Three Writeup - Exploit Education Lab Exercise

Fri, 27 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack Two, Stack Three exercise motive is to smash the stack to modify other variables in the stack to a hex value and technically overwrite function pointer in the stack. Similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared function pointer in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int *fp function pointer stays in main stackframe. This overwritten function pointer will be further used to invoke in later part of the program.

Stack Two Writeup - Exploit Education Lab Exercise

Thu, 26 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup:

Quick Overview

Similar to Stack One, Stack Two exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x0d0a090a but receives the value from the environment variable ExploitEducation. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack One Writeup - Exploit Education Lab Exercise

Fri, 20 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Previous Writeup: Stack Zero Writeup - Exploit Education Lab Exercise

Quick Overview

Unlike Stack Zero, Stack One exercise motive is to smash the stack to modify other variables in the stack to a hex value 0x496c5962. Technically, similar to gets in Stack Zero, strcpy function is unsafe that doesn’t have bounds check, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Stack Zero Writeup - Exploit Education Lab Exercise

Thu, 12 Jan 2023 00:00:00 +0000

If you haven’t done setting-up your lab, feel free to check out my previous article on Exploit.education lab setup

Quick Overview

Stack Zero exercise is based on stackoverflow memory corruption issue where you’ll have to smash the stack to modify other variables in the stack to achieve code execution, execution flow redirection or behaviour in the program. Technically, gets function is unsafe that doesn’t have bounds check basically, it accepts memory address to write but doesn’t care about overwriting other declared variables in stack. If you take closer look at the struct which isn’t dynamically being allocated by malloc function, so probably the struct which contains both char buffer[64] and volatile int changeme stays in main stackframe.

Exploit Education Lab Setup - Windows & MacOS

Fri, 06 Jan 2023 00:00:00 +0000

Exploit.education binary exploitation exercise typically runs on ASLR (Address space layout randomization) disabled ubuntu based virtual machine with Data Execution Prevention turned off binaries. In order to setup the exploit.education lab, You’ll have to either use virtualbox or qemu based virtual machine emulator setup to easily test and debug the exercises.

Installation

For both MacOS and Windows, grab a copy of qemu emulator and follow the installation setup which is quite easy.

Binary Search and Hidden Overflow 🪲

Sun, 04 Dec 2022 00:00:00 +0000

Recently I was playing with overflow vulnerabilities help of exploit.education exercise which mostly covers basic heap, buffer overflow, use-after-free vulnerability patterns in a contained qemu based environment. However, I was searching for Integer overflow patterns and articles around it “how to succesfully convert a integer overflow into a remote code execution”. While reading through the vulnerability reports, I started exploring code snippets relevant to integer overflow and this blog post Nearly All Binary Searches and Mergesorts are Broken caught my eyes.

Detecting Android Content Provider APIs with Semgrep Rules

Mon, 28 Nov 2022 00:00:00 +0000

Content Provider is one of the powerful APIs which helps Android developers programmatically expose resource content within Android ecosystem via Intents. One could easily write those queries easily by extending the ContentProvider class and implementing those methods and accessing via URI (example: android://com.zoho.example/database/:_data). Though these Content Provider is a cupcake for developers, Unfortunately there are lot of vulnerabilities hidden within those APIs and with implementation part.

The main intent for writing this blog post were Semgrep and the recent blog post from project zero regarding Analysis of a Samsung in-the-wild exploit chain. I’ve been using semgrep for a while to tweak my findings instead of naive grep, CodeQL and the Samsung exploit chain may look trivial but how a simple permission bypass can affect system level apps in the Android phone. Later this year, I have added semgrep to my mobile pentesting suite which helps me to run these scripts over large Android projects, decompiled projects in automated way which pings me on Slack 🤖.

Cross-Site Scripting attack on Leetcode

Mon, 07 Dec 2020 00:00:00 +0000

Reflected XSS (Cross-Site Scripting) attack is my favorite vulnerability category as it’s relatively easy to exploit by checking for params as the source and rendering DOM as the sink.

Problem

The core problem of the Reflected Cross-Site scripting attack is appending the URL parameter values in the DOM without validation or filtering. Though the reflected XSS requires user interaction by visiting the page or clicking on links in real-life attacks, people should think about Iframe tags that don’t need any interaction to load them on other third party web pages.

Securing an ExpressJS server - Part 1

Thu, 05 Nov 2020 00:00:00 +0000

As Javascript programming language popularity increases, platforms have already started adopting it from native desktop apps, mobile, browser to server-side, giving rise to exciting frameworks, style guides, tools.

To JavaScript—you weren’t born with a silver spoon in your mouth, but you’ve outclassed every language that’s challenged you in the browser.

ExpressJS is not an exception that powers 2.31% of the top 1 million websites which runs on top of NodeJS and provides excellent features to develop web-based applications. So, let’s jumpstart with a few basics, and this particular series will cover a lot more aspects of securing, maintaining and deploying production-grade expressjs server.