3
R1100
107d

Should I develope an app to make some money
Or learn some cool things about security
Or maybe both ?

Comments
  • 4
    Start security, and gradually shift to a 50/50 deal
  • 2
    @alexbrooklyn Who carres about security ?

    Just do like Apple, facebook and co : Store passwords in plain text ! Free advertisement !
  • 1
  • 1
    @R1100 too soon ? ;p Oh I forgot Capital One in the list.

    But to be fair, I had a similar bug once.

    Just AFTER we deployed Application Insights : One week later I saw that user passwords were logged in logs in plain text. As App Insights record the body of all POST requests, password was there :)

    To solve it, I excluded "bodY' recording from login attempts. But for a week, we had some of users passwords in plain text.
  • 0
    @NoToJavaScript well the attacker can still get the user passwords within the network
  • 0
    @R1100 It’s SSL (Like any website). So yeah, attacker can do the same as any other website
    Application insight could log passwords in text because it’s running after SSL layer.
  • 1
    @NoToJavaScript sslstrip ! No encryption
  • 1
    @R1100 I’m ready for du du du duel !
    Now I’m playing my trump card !
    HSTS !
  • 1
    @NoToJavaScript
    You won on this one !
    But still evil twin and mitm works .
    Or maybe hacking the routers and redirecting the traffic.
  • 1
    @R1100 Ofcause it works !
    I can’t believe how 75% of websites don’t implement basic things.
    We are in 2019 and I can guaranty you, I can find a web site with open SQL Injections in like 10 minutes.
    Couple of years ago I even made a scrip which was googling for “admin.asp” and then just tests forms for injections. Out of 10000 sites, 1500 were susceptible. And in this 1500, there were 1 credit card processor.
  • 1
    @NoToJavaScript wow!
    Must try that !
  • 1
    @R1100 It's so fun to do.

    I went to implement a full DB dump, if injection were possible ;p

    Now I need to find this code.
  • 1
    @NoToJavaScript can you bypass the Captcha? (Python machine learning and such)
  • 1
    @R1100 No, my script was specifically targeting VERY old website (admin.asp, not aspx). There are still plenty lol ! These sites don’t even know what “captcha” is.
  • 1
    @R1100 Here,

    Took me 1 min to find one

    https://utech.edu.jm/seac/admin.asp

    Have fun with SQL injections
  • 0
    @NoToJavaScript that's incredible!
Add Comment