Most Nigerian business software has never been penetration tested. Here are the vulnerabilities ethical hackers find most consistently — with practical fixes for each.
1. SQL Injection
// VULNERABLE
const query = `SELECT * FROM users WHERE email = '${req.body.email}'`;
// SECURE — parameterized query
const user = await User.findOne({ where: { email: req.body.email } });
2. Paystack Webhook Bypass
// VULNERABLE — no verification
if (req.body.event === 'charge.success') {
await creditAccount(req.body.data.metadata.userId);
}
// SECURE — verify signature first
const hash = crypto
.createHmac('sha512', process.env.PAYSTACK_SECRET)
.update(JSON.stringify(req.body))
.digest('hex');
if (hash !== req.headers['x-paystack-signature']) {
return res.status(401).send('Invalid signature');
}
3. IDOR — Missing Ownership Check
// VULNERABLE — anyone can access any order
const order = await Order.findByPk(req.params.id);
// SECURE — verify ownership
const order = await Order.findOne({
where: { id: req.params.id, userId: req.user.id }
});
if (!order) return res.status(404).json({ error: 'Not found' });
4. No Rate Limiting on Login
const rateLimit = require('express-rate-limit');
app.post('/api/login',
rateLimit({ windowMs: 15 * 60 * 1000, max: 5 }),
async (req, res) => {
// Login logic
}
);
5. XSS — Unescaped User Input
// VULNERABLE
res.send(`<div>${user.bio}</div>`);
// SECURE
const escape = require('escape-html');
res.send(`<div>${escape(user.bio)}</div>`);
The Pattern
These aren't exotic vulnerabilities. They appear in production Nigerian applications because security testing isn't a consistent part of the build process. Building with these patterns from the start costs nothing extra. Finding and fixing them after a breach costs enormously.
ZikarelHub LTD is Nigeria's #1 software and digital agency — security built into everything we create.
What security issues have you found in Nigerian apps? 👇
Top comments (0)