CyberCode Academy

CyberCode Academy

Welcome to CyberCode Academy — your audio classroom for Programming and Cybersecurity. 🎧 Each course is divided into a series of short, focused episodes that take you from beginner to advanced level — one lesson at a time. From Python and web development to ethical hacking and digital defense, our content transforms complex concepts into simple, engaging audio learning. Study anywhere, anytime — and level up your skills with CyberCode Academy. 🚀 Learn. Code. Secure. You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

  1. Course 40 - Web Scraping with Python | Episode 2: From HTTP Basics to URL Hacking

    -35 min

    Course 40 - Web Scraping with Python | Episode 2: From HTTP Basics to URL Hacking

    In this lesson, you’ll learn about: how automated data collection works, the fundamentals of HTTP, and how to build dynamic scraping workflows1. Human vs. Automated Browsing🔹 Human browsing: Click linksScroll pagesView imagesManually extract information🔹 Automated browsing (web scraping): Send requests to serversDownload raw HTMLParse structured dataStore results automatically👉 Key Insight Scraping is simply doing what humans do—but faster, consistently, and at scale2. The Foundation of the Web: HTTP🔹 Concept: Hypertext Transfer Protocol (HTTP) is the communication layer of the web🔹 Request–Response Cycle Client sends a requestServer processes itServer returns a response👉 Everything in web scraping is built on this cycle🔹 Important Components🔹 User-Agent Identifies the client (browser or script)Websites may block unknown or suspicious agents🔹 Core HTTP Methods🔹 GET Used to retrieve dataMost common in scraping🔹 POST Used to send dataRequired for:Login formsSearch filtersSubmissions👉 Key Insight Understanding GET and POST lets you replicate real user actions programmatically3. URL Structure & “URL Hacking”🔹 A URL contains: Scheme (https://)Host (domain)PathQuery parameters🔹 Query Strings Example?category=laptops&price=1000 Modify parameters to change resultsAccess filtered data without UI interaction👉 This is called URL manipulation (or URL hacking)🔹 Why it’s powerful: Skip manual navigationDirectly access datasetsAutomate large-scale queries4. Building Dynamic Scrapers🔹 Python Tools🔹 HTTP RequestsRequests Sends GET/POST requestsRetrieves page content🔹 Dynamic URL GenerationUsing Python f-strings:url = f"https://example.com/search?q={keyword}&page={page}" 👉 Allows: Looping through pagesChanging filters dynamicallyScaling data collection5. Simple Automation Flow Build URL with parametersSend request using RequestsReceive HTML responseExtract required dataStore for later use6. Big PictureThis approach transforms you from: A passive web user ➡️ intoAn automated data engineerMental ModelUser action → HTTP request → server response → parsed data → automation👉 Mastering HTTP + URLs = full control over web data extraction You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    10 min
  2. Course 40 - Web Scraping with Python | Episode 1: From Business Profits to Practical Solutions

    -1 dia

    Course 40 - Web Scraping with Python | Episode 1: From Business Profits to Practical Solutions

    In this lesson, you’ll learn about: how web scraping unlocks hidden web data, real-world applications, and the essential tools used to build scraping systems1. What is Web Scraping?🔹 Definition: Web scraping is the process of automatically extracting data from websites👉 Key idea It turns the internet into a massive, queryable database, even when no API exists2. Why Web Scraping Matters🔹 Problem: Most web data is: Not downloadableNot structuredLocked inside HTML pages🔹 Solution: Scraping allows you to: ExtractCleanStoreAnalyze👉 Key Insight Scraping = automated browsing + structured data extraction3. Real-World Applications🔹 Business Intelligence Talent analytics from public profilesWorkforce insights and hiring trendsExample: HiQ Labs Uses scraped public data to: Analyze employee skillsPredict turnover risks🔹 Marketing & Competitive Analysis Price monitoringCompetitor trackingLead generation👉 Companies use scraping to stay ahead in real-time markets🔹 Research & Data Science Academic datasetsSocial trendsPublic information aggregation🔹 Personal AutomationExample use case: Searching for the best Tesla dealAutomation can: Scrape car listingsCompare pricesInclude external costs (like flights)👉 Result: optimized decision-making with minimal effort4. Web Scraping Toolkit🔹 Basic HTTP RequestsRequests Sends HTTP requestsRetrieves raw HTML content🔹 HTML ParsingBeautiful Soup Extracts specific data from HTMLNavigates page structure🔹 Advanced CrawlingScrapy Handles large-scale scrapingBuilt-in pipelines and automation🔹 Browser AutomationSelenium Interacts with dynamic websitesHandles JavaScript-rendered contentSimulates real user behavior5. How Scraping Works (Simple Flow) Send request to a webpageReceive HTML contentParse and extract needed dataClean and structure the dataStore for analysis6. Big PictureWeb scraping enables: Data extraction where APIs don’t existAutomation of repetitive research tasksCreation of new data-driven productsMental ModelWeb page → HTML → parser → structured data → insights👉 Scraping transforms unstructured web content into usable intelligence You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    18 min
  3. Course 39 - NodeJS Security Pentesting and Exploitation | Episode 4: Manual and Automated Code Review Essentials

    -2 dias

    Course 39 - NodeJS Security Pentesting and Exploitation | Episode 4: Manual and Automated Code Review Essentials

    In this lesson, you’ll learn about: auditing Node.js applications using manual code review techniques and automated static analysis tools to identify security vulnerabilities1. What is Node.js Application Auditing?🔹 Purpose: Systematically review a Node.js codebase to find security weaknesses before attackers do🔹 Two main approaches:Manual code reviewAutomated static analysis👉 Key idea Real security comes from combining both approaches2. Manual Code Review Strategy🔹 Focus areas during review:🔹 File and database operationsLook for unsafe reads/writesCheck uncontrolled file paths🔹 Cryptography usageWeak hashing (e.g., MD5)Disabled SSL verificationImproper encryption handling🔹 User input trackingFollow input from: request → processing → database → response👉 Key Insight Most vulnerabilities appear where input is not properly encoded or escaped🔹 Common resulting vulnerabilities:SQL InjectionCross-Site Scripting (XSS)Remote Code Execution (RCE)🔹 Reference knowledge base:OWASP Code Review Guide3. Automated Static Analysis (NodeJsScan)🔹 Tool: NodeJsScan🔹 What it does:Scans code without running it to detect security issues🔹 Key detection capabilities:1. Dangerous functionseval()OS command execution functions👉 Flags potential RCE paths2. Security misconfigurationsMissing CSP headersMissing HSTSMissing X-Frame-Options3. Dependency vulnerabilitiesUses Retire.jsDetects outdated or vulnerable libraries4. Custom rule supportAdd regex/string patternsConfigure rules in rules.xml4. Practical Workflow ExampleUsing vulnerable apps like NodeGoat:Tool scans entire codebaseFlags vulnerable linesShows file + exact line numberSpeeds up remediation process5. Big PictureSecurity auditing is about:Manual review → deep understanding Static analysis → fast detection at scale👉 Best practice: Use both together for complete coverageMental ModelCode → input flow tracking → unsafe sinks → automated scanning → verified findings You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    25 min
  4. Course 39 - NodeJS Security Pentesting and Exploitation | Episode 3: Hardening Code and Preventing Attacks

    -3 dias

    Course 39 - NodeJS Security Pentesting and Exploitation | Episode 3: Hardening Code and Preventing Attacks

    In this lesson, you’ll learn about: securing Node.js applications through safe coding practices, HTTP security headers, ReDoS protection, and preventing information disclosure1. Secure Coding in Node.js🔹 Key idea: Secure Node.js applications require strict control over execution context and defaults.🔹 Strict ModeEnables safer JavaScript executionPrevents accidental global variablesForces explicit variable declarations👉 Key Insight Strict mode reduces “silent” security bugs caused by sloppy scope handling2. HTTP Security Headers (Defense Layer)🔹 Tool: Helmet.js🔹 What it does: Automatically sets important security headers in Express apps.🔹 Key headers it manages:Content Security Policy (CSP) → blocks malicious scriptsHTTP Strict Transport Security (HSTS) → forces HTTPSXSS Protection headers → reduces injection risks👉 Key Insight Headers act as a browser-level security shield3. Secure Cookies🔹 Important flags:HttpOnlyBlocks JavaScript access to cookiesSecureEnsures cookies are only sent over HTTPS👉 Key Insight Even if XSS happens, HttpOnly cookies cannot be stolen via JS4. Regular Expression Denial of Service (ReDoS)🔹 What it is: A performance attack exploiting bad regex patterns🔹 How it works:Complex input causes exponential backtrackingCPU usage spikesServer becomes unresponsive🔹 Common risk area:Email validationInput sanitization👉 Key Insight A “valid” input can still be a computational attack5. Preventing ReDoS Attacks🔹 Strategies:Avoid overly complex regex patternsLimit input lengthUse safe validation librariesBenchmark regex performance👉 Key Insight Security includes performance safety, not just access control6. Information Disclosure Risks🔹 Problem: Attackers learn stack/framework details from responses7. Hiding Technology Fingerprints🔹 Disable default headersRemove X-Powered-ByHide framework identity🔹 Tools:Express.jsExample:Default headers reveal backend technologyRemoving them reduces attack surface visibility8. Session Cookie Hardening🔹 Risk: Default cookies like connect.sid reveal framework usage🔹 Fix:Rename cookiesCustomize session identifiers👉 Key Insight Small naming details can expose backend stack9. Custom Error Handling🔹 Problem: Default errors expose:Stack tracesFile pathsInternal logic🔹 Fix:Use production-safe error handlersReturn generic messages only👉 Key Insight Errors should help users—not attackers10. Big PictureYou are learning how to:👉 Harden Node.js applications at multiple layers 👉 Prevent CPU-based DoS attacks (ReDoS) 👉 Reduce information leakage from HTTP responses 👉 Apply production-grade security middlewareMental ModelStrict mode → secure headers → safe cookies → regex safety → hidden fingerprints → controlled errors → hardened application surface You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    19 min
  5. Course 39 - NodeJS Security Pentesting and Exploitation | Episode 2: Mitigating RCE, OS Injection, and Path Traversal Vulnerabilities

    -4 dias

    Course 39 - NodeJS Security Pentesting and Exploitation | Episode 2: Mitigating RCE, OS Injection, and Path Traversal Vulnerabilities

    In this lesson, you’ll learn about: critical Node.js vulnerabilities caused by unsafe user input handling, including RCE, command injection, XSS, and directory traversal1. Core Security Principle🔹 Key idea: Never trust user input👉 Any data from users must be treated as hostile by default Without validation, it can become a direct execution path into the system.2. Remote Code Execution (RCE) via eval()🔹 Dangerous functions:eval()setTimeout()setInterval()new Function()🔹 Why they are riskyThese functions execute raw JavaScript strings🔹 Attack outcomes:Infinite loops → server crash (DoS)Forced termination (process.exit())Full server takeover (reverse shell execution)👉 Key Insight If user input reaches an execution function → the server is effectively “remote-controlled”3. Remote OS Command Injection🔹 Vulnerable function:child_process.exec🔹 How the attack works:Input is passed into shell commandsAttacker injects separators like ;Extra commands execute on the OS🔹 Example impact:Read sensitive files (e.g., system password data)Execute arbitrary system commands🔹 Safer alternatives:execFilespawn👉 Why they are safer: They treat input as arguments, not executable shell strings4. Cross-Site Scripting (XSS)🔹 Cause: Unsanitized user input reflected into browser output🔹 Impact:Script execution in victim’s browserSession hijacking potentialUI manipulation👉 Key Insight Server-side mistake becomes client-side compromise5. Directory Traversal (Path Traversal)🔹 Technique: Using patterns like:../repeated directory jumps🔹 Impact:Access files outside intended directoryRead sensitive system filesBreak application file boundaries6. Big PictureThis episode shows how Node.js apps fail when:Input is executed instead of validatedSystem commands are built from raw stringsOutput is rendered without escapingFile paths are not restrictedMental ModelUser input → execution boundary → system access If that chain is not broken at validation → full compromise becomes possible You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    21 min
  6. Course 39 - NodeJS Security Pentesting and Exploitation | Episode 1: From V8 Fundamentals to Namespace and Parameter Pollution

    -5 dias

    Course 39 - NodeJS Security Pentesting and Exploitation | Episode 1: From V8 Fundamentals to Namespace and Parameter Pollution

    In this lesson, you’ll learn about: Node.js runtime architecture, single-threaded execution risks, global scope vulnerabilities, and HTTP Parameter Pollution (HPP)1. What is Node.js?🔹 Definition: A JavaScript runtime built on:Node.jsChrome V8 engine🔹 Purpose:Run JavaScript outside the browserBuild scalable server-side applications👉 Key Insight Node.js is not a framework—it’s a runtime environment2. Node.js Architecture🔹 Core model:Single-threadedEvent-drivenNon-blocking I/O🔹 How it works:One main event loop handles all requestsAsync tasks delegated to system threads👉 Key Insight It scales well—but one bad crash can affect everything3. Single-Threaded Risk🔹 Problem:One runtime thread handles all requests🔹 What can go wrong:Uncaught exception → entire server stopsMemory leak → whole app affected👉 Key Insight Scalability comes with system-wide fragility4. Global Namespace Pollution🔹 Definition:Variables declared globally in Node.js are shared across requests🔹 Risk in Express.js:Data leakage between usersShared state corruption🔹 Example risk:One user modifies a global variable affecting all users👉 Key Insight Global state in server apps = security vulnerability5. Why Global Variables Are Dangerous🔹 Issues:No request isolationCross-session data exposureHard-to-debug behavior👉 Key Insight Server logic must be stateless by design6. HTTP Parameter Pollution (HPP)🔹 Definition:Sending multiple values for the same parameterExample:?id=1&id=2 🔹 Node.js behavior:Captures all values as an array👉 Key Insight Unlike some frameworks, Node.js does not automatically collapse parameters7. Why HPP Becomes a Security Issue🔹 Risks:Bypass filtersConfuse validation logicManipulate backend decisions🔹 Example:WAF expects single value but receives array👉 Key Insight Ambiguous input = exploitable behavior8. Comparison With Other Systems🔹 Some frameworks:Take first valueOr last value🔹 Node.js:Keeps all values👉 Key Insight Predictability differences create security gaps9. Secure Coding Practices🔹 Recommendations:Avoid global variablesUse request-scoped data onlyValidate input as single/expected typeNormalize query parameters👉 Key Insight Security in Node.js = strict state control10. Big PictureYou are learning:👉 How Node.js architecture enables scalability 👉 Why its design can introduce security risks 👉 How input handling differences create vulnerabilitiesMental ModelEvent loop → shared runtime → global state risk → multi-value input → ambiguous parsing → exploitation opportunity You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    22 min
  7. Course 38 - Web Security Known Web Attacks | Episode 5: SOP Fundamentals and SOME Attack Exploitation via Flash Callbacks

    -6 dias

    Course 38 - Web Security Known Web Attacks | Episode 5: SOP Fundamentals and SOME Attack Exploitation via Flash Callbacks

    In this lesson, you’ll learn about: Same Origin Policy (SOP), its controlled exceptions, and how attackers exploit it using SOME via Flash callbacks1. What is the Same Origin Policy (SOP)🔹 Definition:A core browser security rule that restricts how documents interact🔹 Enforced in:Web Browsers🔹 Rule: Two URLs can interact only if all match:Protocol (HTTP / HTTPS)Host (domain)Port👉 Key Insight SOP prevents unauthorized access between different websites2. Why SOP Exists🔹 Purpose:Protect user data (cookies, sessions, DOM)🔹 Without SOP:Any site could read or modify another site👉 Key Insight SOP is the foundation of web security isolation3. Soft Exclusions to SOP🔹 Allowed interactions: embeddingpostMessage API🔹 Why they exist:Enable cross-origin communication safely👉 Key Insight SOP is strict—but not absolute4. Introducing SOME (Same Origin Method Execution)🔹 Definition:A technique to execute methods across windows using references🔹 Related concept:Reverse clickjacking👉 Key Insight SOME doesn’t break SOP—it works around it5. Role of Flash in SOME Attacks🔹 Technology involved:Adobe Flash Player🔹 Bridge:ActionScript ↔ JavaScript🔹 Key function:ExternalInterface.call()👉 Key Insight Flash acts as a bridge to execute JS indirectly6. How Flash Callbacks Become Vulnerable🔹 Weakness:Accept user-controlled input🔹 Restrictions:Often limited to:Letters (a–z, A–Z)Numbers (0–9)Dot (.)🔹 Still dangerous because:Can call existing JS functions👉 Key Insight Limited input ≠ safe input7. SOME Attack Lifecycle🔹 Step-by-step:Victim visits attacker pageMalicious page opens new tabUses window.opener referenceParent tab redirected to target sitePayload executes via callback👉 Key Insight Attack uses tab relationships + timing8. DOM Manipulation via SOME🔹 Target:Document Object Model (DOM)🔹 What attacker can do:Trigger clicksSubmit formsChange UI state👉 Key Insight User actions are simulated without consent9. Real-World Example: WordPress Exploit🔹 Platform:WordPress🔹 Vulnerability:Flash file (video-js.swf) with weak callback🔹 Attack outcome:Plugin activated automatically👉 Key Insight Even mature platforms can have legacy weak points10. Bypassing Filters🔹 Challenge:Only alphanumeric + dot allowed🔹 Solution:Call existing functions like:window.opener.someFunction👉 Key Insight Attackers reuse existing trusted functions11. Chaining Actions🔹 Advanced technique:Open multiple tabs🔹 Result:Simulate complex workflows:Activate pluginDelete filesChange settings👉 Key Insight Simple actions can be chained into full compromise12. Why SOME is Powerful🔹 Works when:XSS is blockedCSRF is mitigated🔹 Because:Uses legitimate browser behavior👉 Key Insight Security controls can be bypassed via unexpected paths13. How to Prevent SOME Attacks🔹 Remove legacy risks:Disable Flash completely🔹 Secure callbacks:Validate inputs strictlyAvoid dynamic execution🔹 Protect windows:Use rel="noopener noreferrer"👉 Key Insight Modern security = eliminate legacy + validate everything14. Big PictureYou are learning:👉 How SOP protects—but also limits 👉 How attackers abuse allowed behaviors 👉 Why legacy tech (Flash) is dangerousMental ModelSOP restriction → allowed exceptions → weak callback → window reference → method execution → silent attack You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    25 min
  8. Course 38 - Web Security Known Web Attacks | Episode 4: From Phishing to Reverse Clickjacking

    5/07

    Course 38 - Web Security Known Web Attacks | Episode 4: From Phishing to Reverse Clickjacking

    In this lesson, you’ll learn about: window.opener risks, phishing via tab manipulation, and Same Origin Method Execution (SOME)1. What is window.openerUsing JavaScript:🔹 Definition:A property that gives a newly opened tab access to its parent tab🔹 When it exists:When a link uses target="_blank"👉 Key Insight A child tab can control or modify the parent tab2. Why window.opener is Dangerous🔹 Core issue:Trust between tabs is implicit🔹 Risk:The new tab may be malicious or compromised👉 Key Insight Opening external links creates a hidden trust boundary3. Phishing via window.opener🔹 Attack flow:User clicks link on trusted siteNew tab opens (attacker-controlled)Attacker uses window.openerParent tab is redirected to fake login page👉 Key Insight User thinks they’re still on the trusted site4. Why This Phishing Works🔹 Psychological factor:User trusts the original tab🔹 Technical factor:URL changes silently in background👉 Key Insight This attack combines technical manipulation + human trust5. Same Origin Method Execution (SOME)🔹 Definition:Triggering actions in another window using limited scripting capabilities🔹 Also known as:Reverse clickjacking👉 Key Insight Even without full XSS, attackers can still execute actions indirectly6. How SOME Works🔹 Core idea:Child tab keeps reference to parentWaits for parent to reach sensitive stateTriggers actions programmatically👉 Key Insight Timing + reference = powerful attack vector7. Weak Callback Exploitation🔹 Targets:JSONP endpointsLegacy browser integrations🔹 Why they matter:Accept limited charactersStill allow function execution👉 Key Insight Even restricted inputs can be abused for execution8. Example Impact of SOME🔹 Possible actions:Trigger button clicksSubmit formsPerform sensitive operations👉 Key Insight User doesn’t need to interact—actions happen silently9. Relation to Other Attacks🔹 Similar to:Cross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)🔹 Difference:Uses browser relationships instead of direct injection👉 Key Insight SOME is a bypass technique when XSS/CSRF are blocked10. Preventing window.opener Attacks🔹 Best practices:Add rel="noopener noreferrer" to linksAvoid unnecessary target="_blank"Use strict Content Security Policy (CSP)👉 Key Insight You must explicitly break the opener relationship11. Defense Against SOME🔹 Strategies:Avoid JSONP and legacy callbacksValidate all actions server-sideImplement CSRF protections👉 Key Insight Never rely on client-side trust12. Big Security Lesson🔹 Core idea:Browser features can be weaponized🔹 Reality:Even “normal” functionality can become an attack vector👉 Key Insight Security requires understanding how features interact, not just codeKey Takeawayswindow.opener allows child tabs to control parent tabsCan be used for stealth phishing attacksSOME enables action execution without full XSSLegacy features increase riskProper link attributes and validation are criticalBig PictureYou are learning:👉 How browser tab relationships create vulnerabilities 👉 How attackers exploit trust and timing 👉 How modern defenses evolved from these weaknessesMental ModelUser click → new tab → opener reference → parent manipulation → exploitation You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

    21 min

Sobre

Welcome to CyberCode Academy — your audio classroom for Programming and Cybersecurity. 🎧 Each course is divided into a series of short, focused episodes that take you from beginner to advanced level — one lesson at a time. From Python and web development to ethical hacking and digital defense, our content transforms complex concepts into simple, engaging audio learning. Study anywhere, anytime — and level up your skills with CyberCode Academy. 🚀 Learn. Code. Secure. You can listen and download our episodes for free on more than 10 different platforms: https://linktr.ee/cybercode_academy

Talvez também goste