How my comments section got nuked (and how I fixed it)

A few days ago, my comments section had its first real baptism by fire. A friend of mine decided to practice some scripting and “light” web security—and naturally, my site was the guinea pig.

To be honest, the protection was non-existent. My comments API was basically wide open:

• No rate limiting (Spam away!)
• No captchas or session handling.
• Zero request validation—if it was JSON, my backend liked it.

The “attacker” quickly realized that the PHP script just took any JSON payload and happily appended it to a file. The funniest part? It didn’t take a sophisticated botnet to bring it down—just a tiny Python script using requests.post().

Here is the “hacking tool” in question:

import requests
import time
from sys import argv, exit as sys_exit

# Simplified version of the script used
def send_comment(author, body):
    payload = {"author": author, "body": body}
    headers = {"Accept": "application/json", "Content-Type": "application/json"}
    
    response = requests.post(
        "[https://zenisoft.net.ua/comments.php](https://zenisoft.net.ua/comments.php)",
        json=payload,
        headers=headers
    )
    return response.json()

# ... you get the idea.

Technically, it wasn’t a masterclass in hacking, but it proved how fragile an unprotected endpoint is. My comments JSON file eventually bloated to about 500KB, filled with hundreds of spam entries. Luckily, since it was all just plain text, cleaning it up was easier than fixing a corrupted database.

But they didn’t stop there. After the spam, they pulled out Bombardier to stress-test the server:

bombardier -c 250 -n 1000000000000 https://zenisoft.net.ua

Ironically, my hosting provider’s (Ukraine.com.ua) infrastructure-level protection kicked in faster than my own code did. The server stayed up mostly because the host did the heavy lifting for me.

What did I learn?

Even for a small hobby project, “minimal security” isn’t optional. It’s a necessity. I’ve since hardened the stack with:

• Basic Rate Limiting: No more infinite posts per second.
• Validation: Checking if the data actually makes sense before saving it.
• Improved Logging: So I can see exactly who is “testing” things next time.
• Cooldowns: Adding a mandatory wait time between comments.

The takeaway? I don’t see this as a “betrayal.” In my eyes, a technical attack on your own system is just an extremely aggressive bug report.

If someone can break your site in five minutes for fun, eventually someone else will do it for real. Instead of getting annoyed, I used this as a free security lesson to make the site a bit more robust.

Special thanks to the guy at themomer.ru for accidentally becoming my unpaid QA engineer.