Protect Your Knack Applications with our Knack Vulnerability Scanner

Hello Friends,

We’re excited to share a new tool that we’ve developed here at Ksense Tech.

Introducing the Knack Vulnerability Check – An easy way for non-coders to audit their Knack application.

Give it a try here:

What is the Knack Vulnerability Check?
This tool is designed to identify exposed API keys in your Knack applications. It’s simple to use – just paste the URL of your live Knack application (note: Builder URLs are not supported) into the tool, and it scans for vulnerabilities.

Why Did We Create This Tool?
In our recent projects, we’ve noticed a troubling trend: many Knack applications we acquire already have code containing vulnerabilities. This is particularly concerning for clients who may not have the technical expertise to audit their applications for security risks. That’s why we created this script. It checks your application’s code for vulnerabilities and alerts you to any issues found.

The Risk of Exposed API Keys
An exposed API key is a serious vulnerability. If a key is visible in your code, anyone – without even logging into your application – can access, modify, or even delete your data. It’s a risk no one should have to take.

Open Source and a Call to Action
Our tool is open source and available here. We strongly urge Knack to consider integrating a form of this tool into the Knack builder.


FAQ Section

  • How does the Knack Vulnerability Check work?
    Our tool performs a scan using only the public URL of your Knack application. It analyzes all the JavaScript code for exposed API keys using a pattern recognition algorithm. Importantly, this process requires no sensitive information from you.

  • What about data privacy and security?
    Your privacy is paramount. Our tool operates on a strict no-data-retention policy. Being open source, you can confidently review our code to ensure we don’t store any data about your application or its vulnerability status.

  • What motivated the development of this tool?
    In just this month, we’ve encountered three Knack projects compromised by previous developers. Recognizing the challenge for those without coding expertise to ensure app safety, we developed this tool. It’s not just a safety net for your data, but also a step towards urging Knack to integrate such security measures natively.

  • Cost and Accessibility of the Tool
    The tool is entirely free and open source. You’re welcome to explore the code to understand its workings. This transparency is part of our commitment to user trust and security.

  • Recommended Usage Frequency
    For optimal security, we recommend running the tool regularly, especially after any updates or changes made to your application’s JavaScript code.

  • Scope of Vulnerability Detection
    Currently, our tool only detects exposed Knack API keys - the most frequently encountered vulnerability. It does not check for other types of vulnerabilities at this time.

  • Impact on Application Performance
    Efficiency is key. Our tool operates externally, meaning it has no impact on your application’s performance. All processing is handled on our dedicated server. You’re also welcome to self host the tool if you would like.

  • Compatibility with Knack Applications
    The tool is tailored for standard Knack applications hosted on Knack’s servers. It is not compatible with self-hosted or custom-domain Knack applications.

  • Does the Knack Vulnerability Check inspect injected or lazy-loaded code?
    Currently, our tool does not inspect code that is injected or lazy-loaded within your Knack application. We are only scanning the statically available JavaScript file


We believe this tool is a step towards more secure Knack applications, and we encourage all Knack users to give it a try. Protect your data, protect your application, and maintain the trust of your users.

Best regards,
Kelson Erwin
Ksense Technology Group

6 Likes

Thanks @Kelson for sharing, I’ll check my apps today :+1:

Thanks Carl!

Very cool, thank you! Found a vulnerability in mine, and its from code that i utilized from the forums here, in order to add checkboxes. anybody know how to add checkboxes without exposing the API key?

Hello JD,

For adding checkboxes we don’t need to expose API keys but while trying to update records using checkboxes we need to either create another form or directly update in object.

We can avoid exposing keys using update forms instead of updating directly in object.

Thanks,
Sunny Singla

1 Like