he hacked my websites

TL;DR

Hard-coded API keys in front-end code are a high-impact vulnerability because they enable direct abuse of third-party services and can bypass server-side protections.

Briefing Cornell Notes

Briefing

A fast, automated-and-manual pen test of 24 newly built websites turned up a pattern: many “low priority” misconfigurations and exposed details can still cascade into real risk—especially when API keys, WordPress defaults, and client-side secrets are left in the open. The work matters because it shows how quickly an attacker can enumerate targets, fingerprint stacks, and then pivot from harmless-looking findings (headers, missing protections, version leaks) into higher-impact abuse (credential guessing, data exposure, denial of service, and XSS).

The testing began with Nickto (Nick Toe), a command-line scanner aimed at fingerprinting the server and hunting for known weaknesses like outdated versions. It struggled enough with TLS to terminate with errors, so the results were fed into an LLM (Claude) along with the site code and a vulnerability list. That AI-assisted pass produced practical fixes—such as adding missing security headers—and flagged a major issue: API keys were hard-coded directly into the front-end. Because the hosting provider handled server-side concerns, most findings were low severity, but the exposed keys were a clear, high-value target.

Next came OWASP ZAP, run in a proxy-based workflow that lets the tester browse the site while ZAP watches requests and responses. With the site explicitly added to scope, ZAP reported medium alerts and at least one anti-clickjacking-related issue. An automated active scan completed without high-severity server-side problems, and the tester then inspected the source directly to confirm what was and wasn’t in scope.

Burp Suite Pro added a more “professional” layer: deep web app scanning with checks for SQL injection, JavaScript analysis, and static application security testing-style techniques. Burp quickly surfaced a high-severity problem tied to a vulnerable Axios JavaScript library version. After updating the script source and re-scanning, the vulnerability disappeared—an example of how dependency hygiene can be the difference between “informational” and “exploitable.”

WordPress sites were tested with WPScan and Burp’s WordPress-oriented features. Findings included version disclosure (e.g., PHP 8.2.16), exposed WordPress defaults like readme files, and login behavior that enabled username enumeration. The tester emphasized that WordPress admin endpoints should be IP-restricted to prevent brute-force and enumeration.

The most damaging pivot came from exposed API keys and weak rate limiting. One endpoint accepted an API key passed in the URL; without rate limits, the tester demonstrated how repeated requests could spam the API and degrade availability—an availability attack aligned with the CIA triad’s “A.” Another site exposed environment variables, including a database password, and an admin interface that could be accessed with guessed credentials (admin/admin). Finally, client-side weaknesses showed up in a “countdown” page: manipulating JavaScript-controlled state unlocked a secret, and an open redirect pattern was demonstrated as a stepping stone to phishing and, in some cases, reflected XSS.

Overall, the exercise blended tooling (Nickto, OWASP ZAP, Burp Suite Pro, WPScan, SAST via GitHub integration, and auxiliary recon tools) with disciplined scoping and rapid iteration. The takeaway is blunt: even when scanners report “medium” or “low,” exposed secrets, dependency vulnerabilities, and client-side trust gaps can still turn a hobby project into an attacker’s shortcut.

Cornell Notes

A pen test of 24 recently created websites found that security failures often start with reconnaissance and “small” misconfigurations, then escalate through exposed secrets and weak controls. Automated scanning tools (Nickto, OWASP ZAP, Burp Suite Pro, WPScan) quickly fingerprinted stacks, flagged missing protections, and identified dependency issues like a vulnerable Axios version. The most serious risks came from hard-coded API keys, WordPress information leakage (version/default files), and endpoints that allowed abuse—such as API-key-in-URL requests without rate limiting, enabling denial-of-service. The testing also demonstrated environment variable exposure and client-side JavaScript manipulation that could unlock hidden content. The lesson: treat exposed details and client-side trust as high-risk even when initial alerts look minor.

Why did the testing pivot from Nickto to an LLM-assisted workflow?

Nickto produced a scan terminated with many errors, attributed to difficulty handling TLS in the setup. To keep momentum, the tester took the scan output and fed it into Claude alongside the site code and a vulnerability list, then asked whether each issue needed fixing. That AI pass generated actionable remediation guidance—adding missing security headers and prioritizing the real problem: API keys hard-coded into the front-end.

How did OWASP ZAP’s proxy workflow help find issues that automated scans might miss?

ZAP was run with a browser that acts as a proxy, sitting between the tester and the site. As the tester navigated, ZAP observed requests/responses in real time, enabling scope control (explicitly adding the target to scope) and producing alerts like medium-severity findings and anti-clickjacking-related issues. It also supported spidering/crawling and an active scan to look for known vulnerabilities while browsing.

What made Burp Suite Pro’s findings more “exploit-ready” than earlier results?

Burp Suite Pro enabled deeper web app scanning with configuration options for deep auditing and checks such as SQL injection and JavaScript analysis using static techniques. It quickly identified a high-severity issue tied to a vulnerable Axios library version. After updating the script source, a re-scan confirmed the vulnerability was patched—showing how dependency-level fixes can remove real exploit paths.

What WordPress-specific weaknesses were highlighted as common attacker leverage points?

WPScan and Burp’s WordPress checks surfaced version disclosure (e.g., PHP 8.2.16), exposed WordPress defaults like the readme file, and login behavior that enabled username enumeration. The tester stressed that the WordPress admin/login endpoints should be IP allow-listed (firewall-restricted) to prevent enumeration and brute-force, rather than leaving them broadly reachable.

How can an exposed API key lead to denial-of-service even without “hacking” the server?

One endpoint accepted an API key in the URL. The tester showed that if there’s no rate limiting, an attacker can repeatedly call the endpoint—spamming requests at scale. Because the API key is shared and rate controls are weak, this can exhaust the service’s capacity so the legitimate site stops working for users, attacking availability (the “A” in CIA triad).

What did the testing reveal about client-side secrets and JavaScript trust?

A “countdown” page used JavaScript-controlled state for a secret. By manipulating the client-side time parameter, the tester unlocked the secret flow. The exercise also demonstrated open redirect behavior (and how it can be weaponized for phishing or combined with XSS), reinforcing that client-side logic and URL handling must be treated as untrusted input.

Review Questions

Which specific categories of findings were most likely to escalate from “low/medium alerts” into real attacker impact, and why?
How do scope and permission boundaries change what tools like ZAP can legally and ethically do during testing?
What controls would most directly mitigate the demonstrated API-key abuse and WordPress enumeration risks?

Key Points

1
Hard-coded API keys in front-end code are a high-impact vulnerability because they enable direct abuse of third-party services and can bypass server-side protections.
2
Dependency scanning matters: Burp Suite Pro identified a high-severity vulnerable Axios version, and updating the script source eliminated the issue on re-scan.
3
Recon and fingerprinting quickly narrow the attack surface; TLS/version disclosure and exposed defaults (like WordPress readme files) help attackers target the right exploits.
4
WordPress login endpoints should be IP allow-listed to prevent username enumeration and brute-force attempts.
5
Rate limiting is essential for endpoints that accept API keys (especially when keys are passed in URLs), since weak controls enable denial-of-service via request spamming.
6
Client-side secrets and JavaScript-controlled logic are not trustworthy; attackers can manipulate browser state to unlock hidden content.
7
Even “informational” findings can become actionable when combined with exposed secrets, weak input handling, or unsafe URL behaviors (open redirects/XSS patterns).

Highlights

Feeding scanner output into Claude produced quick, practical fixes like adding missing security headers and prioritizing the real danger: exposed API keys.

Burp Suite Pro found a high-severity issue tied to a vulnerable Axios library version; updating the dependency source resolved it.

An API key passed in the URL, combined with missing rate limiting, enabled a denial-of-service style attack by spamming requests.

WordPress testing surfaced version/default-file exposure and login enumeration behavior—issues mitigated by IP allow-listing and tighter endpoint controls.

A JavaScript-based countdown secret could be unlocked by manipulating client-side state, underscoring that browser logic can’t be trusted for security.

Topics

Pen Testing Workflow
OWASP ZAP
Burp Suite Pro
WordPress Security
API Key Exposure

Mentioned

Tyler Ramsey
TLS
XSS
CVE
SAST
SQL
DoS
API
HTTP
IP
CVE
XML
AJAX
CVEs