When /admin is protected by nothing more then:

var admin = false;
setTimeout( function(){
window.location.href = "/home"
}, 1000);

My favourite to ever stumble on and dred going through hundreds of files to actually fix😣

  • 3
    I pray the api endpoint is protected
  • 2
  • 8
    Who, in their right mind, ever protects anything with JavaScript?

    That's like setting up a bucket of water in the attic and calling it a sprinkler installation.
  • 5
    I think it is important to remember that a lot of legacy code may have been put in place during extreme time crunches with little prior experience and with the attitude, "It works well enough"

    At least you are being allowed to change it.

    We've all been places where this type of solution becomes dried cement and no one is allowed to touch it for fear of causing even the slightest interruption
  • 4
    I wouldn't even have flinched. I see security in JavaScript and assume this is just to hide buttons and redirect to landing pages as part of usability and the real security is implemented in the backend.

    I wouldn't have caught that.
  • 0
    @LameCode20 node.js developers probably
Add Comment