[{"data":1,"prerenderedAt":319},["ShallowReactive",2],{"blog-stories/what-hackers-target":3},{"id":4,"title":5,"body":6,"category":300,"date":301,"dateModified":301,"description":302,"draft":303,"extension":304,"faq":305,"featured":303,"headerVariant":300,"image":305,"keywords":305,"meta":306,"navigation":307,"ogDescription":308,"ogTitle":305,"path":309,"readTime":305,"schemaOrg":310,"schemaType":311,"seo":312,"sitemap":313,"stem":314,"tags":315,"twitterCard":317,"__hash__":318},"blog/blog/stories/what-hackers-target.md","What Hackers Look for in Vibe Coded Apps",{"type":7,"value":8,"toc":283},"minimark",[9,16,19,24,27,32,35,46,49,53,56,62,65,69,72,88,114,118,122,125,129,140,144,147,161,165,168,172,175,217,221,224,246,275],[10,11,12],"tldr",{},[13,14,15],"p",{},"Attackers know AI-generated apps have predictable vulnerabilities. They look for exposed API keys in JavaScript bundles, unprotected admin routes at common paths, missing rate limits on AI endpoints, and IDOR vulnerabilities in APIs. Understanding these targeting patterns helps you defend against them.",[13,17,18],{},"If you want to defend your vibe coded app, it helps to understand how attackers think. This isn't about teaching hacking. It's about understanding the attack surface so you can protect it.",[20,21,23],"h2",{"id":22},"the-attackers-first-steps","The Attacker's First Steps",[13,25,26],{},"When targeting a web application, attackers typically start with reconnaissance. For AI-generated apps, they have some predictable starting points:",[28,29,31],"h3",{"id":30},"_1-javascript-bundle-analysis","1. JavaScript Bundle Analysis",[13,33,34],{},"The first thing many attackers do is inspect your JavaScript. They're looking for:",[36,37,42],"pre",{"className":38,"code":40,"language":41},[39],"language-text","// Things attackers search for in your JS:\n\"OPENAI_API_KEY\"\n\"sk-\"           // OpenAI key prefix\n\"pk_live_\"      // Stripe publishable key\n\"sk_live_\"      // Stripe secret key (really bad)\n\"supabase\"      // Supabase URLs and anon keys\n\"/api/\"         // API endpoint patterns\n\"admin\"         // Admin-related routes\n\"firebase\"      // Firebase config\n\"NEXT_PUBLIC_\"  // Environment variable patterns\n","text",[43,44,40],"code",{"__ignoreMap":45},"",[13,47,48],{},"Finding an API key in client-side code is like finding an unlocked door. The attacker will immediately test what access it provides.",[28,50,52],{"id":51},"_2-common-path-scanning","2. Common Path Scanning",[13,54,55],{},"Attackers run automated scans against common paths:",[36,57,60],{"className":58,"code":59,"language":41},[39],"/admin\n/api/admin\n/dashboard\n/internal\n/debug\n/.env\n/api-docs\n/swagger\n/graphql\n/config\n/.git\n",[43,61,59],{"__ignoreMap":45},[13,63,64],{},"Vibe coded apps often have these routes created with default configurations, sometimes without proper protection.",[28,66,68],{"id":67},"_3-technology-fingerprinting","3. Technology Fingerprinting",[13,70,71],{},"Attackers identify your tech stack to know which vulnerabilities to try:",[73,74,75,79,82,85],"ul",{},[76,77,78],"li",{},"Next.js apps have predictable API route patterns",[76,80,81],{},"Supabase apps often have exposed database URLs",[76,83,84],{},"Firebase apps may have misconfigured security rules",[76,86,87],{},"Vercel deployments have known URL patterns",[89,90,91,97],"warning-box",{},[13,92,93],{},[94,95,96],"strong",{},"High-Value Targets in Vibe Coded Apps",[73,98,99,102,105,108,111],{},[76,100,101],{},"AI endpoints (costly to abuse via your key)",[76,103,104],{},"Payment processing (credit card testing)",[76,106,107],{},"User databases (data theft or ransom)",[76,109,110],{},"Admin functions (full system compromise)",[76,112,113],{},"File upload endpoints (malware hosting)",[20,115,117],{"id":116},"the-most-exploited-vulnerabilities","The Most Exploited Vulnerabilities",[28,119,121],{"id":120},"exposed-api-keys","Exposed API Keys",[13,123,124],{},"An OpenAI key in your frontend can cost you thousands in hours. An AWS key can compromise your entire infrastructure. Attackers have automated tools that scan GitHub and deployed sites for these patterns.",[28,126,128],{"id":127},"idor-insecure-direct-object-references","IDOR (Insecure Direct Object References)",[13,130,131,132,135,136,139],{},"If your API uses predictable IDs like ",[43,133,134],{},"/api/users/123",", attackers will try ",[43,137,138],{},"/api/users/124"," and see if they can access other users' data. AI-generated code rarely includes proper authorization checks.",[28,141,143],{"id":142},"missing-rate-limiting","Missing Rate Limiting",[13,145,146],{},"Without rate limiting, attackers can:",[73,148,149,152,155,158],{},[76,150,151],{},"Brute force passwords",[76,153,154],{},"Enumerate user accounts",[76,156,157],{},"Abuse expensive AI features",[76,159,160],{},"Crash your server with request floods",[28,162,164],{"id":163},"sqlnosql-injection","SQL/NoSQL Injection",[13,166,167],{},"AI often generates code that doesn't properly sanitize user input. Attackers test every input field for injection vulnerabilities.",[20,169,171],{"id":170},"how-to-defend","How to Defend",[13,173,174],{},"Understanding attacker methodology helps you prioritize defenses:",[176,177,179],"lesson-box",{"title":178},"Defense Priorities",[73,180,181,187,193,199,205,211],{},[76,182,183,186],{},[94,184,185],{},"Remove API keys from client code"," - Use environment variables and server-side proxies",[76,188,189,192],{},[94,190,191],{},"Protect admin routes"," - Auth + non-guessable paths + IP restrictions",[76,194,195,198],{},[94,196,197],{},"Add rate limiting everywhere"," - Especially auth and AI endpoints",[76,200,201,204],{},[94,202,203],{},"Implement proper authorization"," - Check user permissions on every request",[76,206,207,210],{},[94,208,209],{},"Validate all input"," - Never trust data from the client",[76,212,213,216],{},[94,214,215],{},"Monitor for unusual patterns"," - Set up alerts for anomalies",[20,218,220],{"id":219},"the-good-news","The Good News",[13,222,223],{},"Most attackers go for easy targets. If your app has basic protections, they'll move on to the thousands of apps that don't. You don't need perfect security. You need security better than the average vibe coded app, which honestly isn't a high bar.",[225,226,227,234,240],"faq-section",{},[228,229,231],"faq-item",{"question":230},"How do attackers find my app in the first place?",[13,232,233],{},"Through search engines (Google dorking), scanning IP ranges, monitoring GitHub for new deployments, or finding you through shared hosting platforms. If your app is on the internet, assume it will be scanned.",[228,235,237],{"question":236},"Do small apps get targeted?",[13,238,239],{},"Yes. Automated attacks don't care about your user count. They scan everything looking for vulnerabilities. A small app with an exposed API key is just as valuable to an attacker as a large one.",[228,241,243],{"question":242},"Should I hire a penetration tester?",[13,244,245],{},"For production apps with real users or revenue, yes. But first, fix the obvious issues with automated scanning. Don't pay someone to tell you your API key is exposed in the frontend.",[247,248,249,255,260,265,270],"related-articles",{},[250,251],"related-card",{"description":252,"href":253,"title":254},"A developer woke up to $2,000 in OpenAI charges after their API key was found in a public repository. The story of disco","/blog/stories/openai-key-abuse","When Someone Stole My OpenAI Key",[250,256],{"description":257,"href":258,"title":259},"The OpenClaw campaign published roughly 900 malicious npm packages designed to steal credentials and install backdoors. ","/blog/stories/openclaw-malicious-packages","OpenClaw's 900 Malicious npm Packages: What Vibe Coders Need to Know",[250,261],{"description":262,"href":263,"title":264},"A third-party service a recruiting platform used got breached, exposing credentials the team had reused. How credential ","/blog/stories/password-breach-notification","The Password Breach That Affected a Recruiting Platform's Whole Team",[250,266],{"description":267,"href":268,"title":269},"A stranger found a health-tech startup's admin panel at /admin with no authentication. They could see all patient data, ","/blog/stories/admin-panel-found","When Someone Found a Health-Tech Startup's Unprotected Admin Panel",[250,271],{"description":272,"href":273,"title":274},"In early 2025, AI-assisted attackers compromised 50,000 FortiGate firewalls in weeks. Here's what happened and why it ma","/blog/stories/ai-assisted-fortigate-attack","How Attackers Used AI to Breach 50,000 FortiGate Firewalls",[276,277,280],"cta-box",{"href":278,"label":279},"/","Check Your Vibe Now",[13,281,282],{},"Scan your vibe coded projects for the vulnerabilities attackers look for first.",{"title":45,"searchDepth":284,"depth":284,"links":285},2,[286,292,298,299],{"id":22,"depth":284,"text":23,"children":287},[288,290,291],{"id":30,"depth":289,"text":31},3,{"id":51,"depth":289,"text":52},{"id":67,"depth":289,"text":68},{"id":116,"depth":284,"text":117,"children":293},[294,295,296,297],{"id":120,"depth":289,"text":121},{"id":127,"depth":289,"text":128},{"id":142,"depth":289,"text":143},{"id":163,"depth":289,"text":164},{"id":170,"depth":284,"text":171},{"id":219,"depth":284,"text":220},"stories","2026-02-27","A look at how attackers find and exploit vulnerabilities in AI-generated applications. Understanding the attacker mindset to build better defenses.",false,"md",null,{},true,"How attackers find and exploit vulnerabilities in AI-generated applications.","/blog/stories/what-hackers-target","[object Object]","BlogPosting",{"title":5,"description":302},{"loc":309},"blog/stories/what-hackers-target",[316],"Insights","summary_large_image","aWTqN55hKauV0BJKJFz5CyvZv9Ko3eWh8mzZf6V4sH0",1775843921382]