In this article, I will explain you why web3 security is actually very easy to learn by comparing it with website security (web2) and pointing out the main differences.
What are the main differences between web2 and web3 security?
Should you learn web2 or web3 security? Is web2 security required for mastering web3 security?
In order to learn cyber security you absolutely need to meet some prerequisites (in order to understand how the whole system) works, don’t forget that you can’t hack what you don’t understand.
To learn Web2 security you need to know :
- Backed language servers (node.js/PHP/python/java…)
- Known flaws (SQL inection, XSS, CSRF…)
- Network protocols (TCP/IP, HTTP…)
- Linux security (and privilege escalation)
- Web server configuration.
- Cryptography and HTTPS protocol (at some extent)
To learn Web3 security you need to know first :
- Solidity + Hardhat/Truffle
- Blockchain architecture.
- Cryptography (at some extent)
- Known flaws (reentracy, overflows…)
It may sound counter intuitive but prerequisites for learning Web3 security are far lower than Web2 and you don’t need that much stuff.
In WEB2, if you want to “hack” a server, you can’t see the code of the server, you need to send HTTP requests in order to see how the server behaves and which flaws it’s vulnerable to.
But with smart contracts, this is not the same. In most of the cases code of smart contracts are open source, that means that you can see it and thus search for flaws, and even if the source code is NOT open source, you can still see the byte code on ether-scan and de-compile it, which is not that hard.
Moreover, often the code of a smart contract is way less complicated than the code of a website.
3. Transactions and requests
In order to “interact” or to “hack” a smart contract, you need to submit a transaction to the smart contract.
Transactions are very easy to understand, there are only about 10 field to understand and most of the time the malicious payload will be stored on the data field.
In web2, this is replaced by of course, not transactions but instead HTTP requests…
…and each transactions field. (like data, value, gas…) are replaced by HTTP headers.
They are dozens of headers (if not hundredths), and a lot of them are very relevant in a security point of view. (CSP, CORS, iframes protection…)
Client and server communicate with HTTP requests/response which are way harder to understand and to master, than Ethereum transactions.
4. Most known flaws
web2 and web3 common flaws are very different, and lot of them don’t have
For example here is the most common flaws on web2 :
- Injections flaws allowing to execute your code on a server or a browser like SQLi, XSS. (don’t have any equivalent on web3)
- Broken access controls meaning not checking if an user have enough privileges to view/modify a resource. (equivalent to forgetting the “onlyOwner” on smart contracts)
- Security misconfigurations (almost don’t exist on web3)
- Outdated software (almost don’t exist on web3 as almost anyone uses solidity 0.8)
Most of these flaws have a lot of variants. (like these is 100s way of doing an SQL injection or misconfiguring a server)
Here is the most common flaws on web3 :
- reentrancy (don’t exist on web2)
- underflows/overflows (don’t exist on web2, at least not on website security)
- DoS attacks (exist on web2, but not on the same form)
They are quite easy for web3 Dev to understand, and possess a very limited number of variants (there are only a handful of way to an “underflow” for example)
The only exception to this is logical flaws which are present on web2 and web3 and are harder to detect.
5. Decentralization vs centralization
As web2 is centralized, every website/infrastructure is responsible for it’s own security.
If you’re creating a website:
- you need to configure the server.
- you need to configure the database.
- you need to use up to date tools.
- you need to pay attention to the server code logic.
And if you’re doing wrong on only one of these things, you can have your server hacked.
(You can, of course delegate some of the tasks by using some software but you won’t understand how thing works)
Web3 is less centralized, and you need only to pay closely attention to the smart contract logic code. (and to the front-end at some extent)
The blockchain itself with the smart contract code is considered as secure.
6. Cost of “hacking”
If your website gets hacked, you’re wrecked, you may loose some time/reputation or even some money (like your payment gateway is stolen), but this is not as severe as getting your smart contract hacked.
So while web3 security is easier than web2 security, you still need to pay attention very closely to different flaws on your smart contract.
Becoming from zero a competent professional in web2 security will take you years of hard work, but it can be reduced to ONLY month of hard work if you’re on web3. (but it still hard work)
Indeed this is the case because mastering web3 is a lot simpler than master web2.
As always, I hope you’ve learnt a lot in this article and see you next time :)