Charles Kern

🌐 dev.toSource

From Dev.to - webdev: Why Cursor Keeps Writing MD5 for Passwords (And How to Fix It)

🌐 dev.toSource

From Dev.to - devsecops: AI-Generated APIs Have an IDOR Problem: 3 Patterns Cursor Misses

🌐 dev.toSource

From Dev.to - webdev: 3 SQL Injection Patterns Cursor Keeps Writing Into Your API

🌐 dev.toSource

From Dev.to - webdev: Prototype Pollution: What Cursor's Object Merge Code Misses

🌐 dev.toSource

TL;DR AI editors surface MD5 hashing from training data dominated by 2008-2014 tutorials MD5 hashes crack in milliseconds on modern GPUs -- any breach becomes full password exposure Fix: one import swap to bcrypt (Python) or argon2id (Node) -- no architecture changes needed I

🌐 dev.toSource

TL;DR AI editors generate routes that fetch resources by ID with no ownership check -- classic IDOR (CWE-639) The pattern is everywhere in vibe-coded apps: any authenticated user can read any other user's data One extra condition in the DB query fixes it -- the problem is AI d

🌐 dev.toSource

TL;DR Cursor generates authenticated API routes with no ownership verification by default This creates IDOR (CWE-639) -- any logged-in user can read or delete any other user's data Fix is 3 lines: check resource.userId === req.user.id before returning anything I was reviewing

🌐 dev.toSource

TL;DR AI-generated CRUD endpoints routinely skip ownership checks (CWE-639) Any authenticated user can read, modify, or delete another user's data Fix: one ownership check before every data access, no exceptions I've been reviewing AI-assisted codebases for a while now, and on

🌐 dev.toSource

TL;DR AI editors generate authenticated endpoints with no ownership verification Any valid JWT holder can read any other user's data by guessing an ID Fix: scope the query to the requesting user, or check ownership immediately after fetch I've been reviewing side-project codeb