30
DubbaThony
103d

So we ordered a piece of software from external software house becouse I was low on time and we needed it asap.

So. Long story short, their software was bugged as hell, they deny all the bugs and they have their BDD that they done and anything we say about it like "feature XYZ is broken on firefox" they will deny it "becouse it wasn't on BDD" or "let's get on call" (in which +- 6-7 people participate from their side and we of course have to pay them for this...)

So they fixed like 20% of bugs (mostly trivials/minors) Application is fairly small scope. You have integration with like 3 endpoints on arbitary API, user registration/login, few things to do in database (mainly math running from cron).

They done it in ASP so I don't know the language and enviroment so can't just fix it myself.

2 days ago (monday) they annoyed me to point where I just started to break things. For starters I found that every numeric input is vunrable to integer overflow (which is blocker). I figured most of fields are purefect opportunity to XSS (but I didn't bother to do JS... anything but not JS...). I figured I can embed into my name/surname/phone (none validated) anything in HTML...

So for now we have around 25 bugs, around 15 of them are blockers.

They figured it's somehow our fault that it's bugged and decided to do demo with us to show off how perfectly it works. I'm happy to break their demos. I figured I will register bunch users that have name - image with fixed/absolute position top:0;left:0 width/height 100% - this will effectively brick admin panel

Also I figured I can do some addotional sounds in background becouse why not. And I just dont know what to put in. It links to my server for now so I can freely change content of bricked admin panel.

I have curl's ready to execute in case they reset database.

I can put in GIFs or heck, even videos, dosen't really matter. Framework escapes some things for them so at least that. But audio/image/video works.

Now I have 2 questions:
- what image + audio combo will work the best (of course we need to keep it civil). Im thinking finding some meme with bugs or maybe nuclear logo image with some siren sound
- am I evil person?

Edit:

I havent stated this clearly:

"There is no BDD that describes that if user inserts malicious input server should deny it" - that's almost literally what we get from them....

Comments
  • 6
  • 7
    here's some of my ideas

    rick roll them

    have a script just changing the css/dom randomly

    megalovania

    just an alert box

    you are an idiot site https://piv.pivpiv.dk/
  • 3
    Sounds like by my company
  • 6
    @terraria99 You are idiot site - I love that old site idea but I think it's not civil enough... Random alert's are boring and not as amusing.

    DOM... hmm... changing color of page so it goes rainbow colourfull (like changes colours and shines).... sounds freaking cool O,,,O
  • 2
    wow! o_o
  • 3
    Do the stackoverflow unicorn thing too. Break the application. Break their backs. ^^
  • 4
    @exceptionalGuy I would <3 to do it but Im backend guy, im clueless about more advanced css stuff... For quick prototyping i lt can maybe work, for such idepth stuff.. Meh.. But I can allways do <style> with their display:flex'es changed into !important display:block's... So many possibilities...
  • 0
    Teletubbies.

    It will be glorious.
  • 1
    So any news?
  • 1
    @terraria99

    I settled on gif shown in #1 and "warning, tactical nuke incoming <siren>" (extracted from some game) sound in background.

    It was glorious. Especially that their boss hopped on the call. We also shown them all the bullshit like... if I add enough items to the cart it overflows integer that's price and I buy for negative ammount of cash which:

    - grants my account items
    - incerases my account balance

    Best part was when we were talking to them during their demo
    - "okay, can you try to buy 90000 of this product?"
    - "yeah, sure... I dont know why, it's pointless but okay... wait.. whaaa.. <silence for good 2 minutes>"

    - "okay, let's check out admin panel"
    - "sure, so if you go to admin panel, as I will show you no.. what? WARNING TACTICAL NUKE INCOMING"
    - "yeah, we are trying to tell you for few months that it's broken"

    The effect was ohhh... beautyfull and extremly satisfying (maybe becouse their superior was on call for some reason)

    They fixed around 60% of blockers now
  • 1
    They should make TV shows with this kinda stuff.

    Will the superior yield to the threat of the nuke and clean the software his team pulled out from their collective asses? Find out on next week's episode.
Your Job Suck?
Get a Better Job
Add Comment