Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Oktokolo130417dThat is just a noob mistake and trivial to fix.
Some of the more severe stuff i saw in the wild:
- Checking user input client-side only.
- Not using stored procedures leading to SQL injection opportunities.
- Hardwired master passwords (not even hashes).
- Missing authorization checks leading to anyone being admin who can guess some URL parameters right.
- Not escaping persistent user input on HTML generation leading to cross-site-scripting attacks.
- Not using cross-site-request-forgery-prevention tokens or storing them in a cookie (rendering them useless).
- Not honouring the DRY principle - leading to hundreds of places that have to be fixed when bugs are found.
- Not honouring the KIS principle leading to loads of edge-case-specific code paths wich never get any test coverage (neither human nor automated).
I am not a security researcher. This is all just common stuff most of the sites out there get wrong.
vane886016dfyi it was/is part of official rfc and was widely used before web browsers and/or internet become popular
not exactly how you probably think of “as parameters” but cause you didn’t precisely wrote what parameter is, this is how original internet address ( url ) protocol rfc1738 looks like
It’s just browsers implemented it so ugly it got deprecated.
for me it’s pure beauty in its simplicity
Hazarth154216dAre we talking about query parameters? because sending "?username=&password=&grant_type=password" as query params is also a standard for oAuth2 authentication.
it shouldn't be an issue if its over https and once you have your token back you don't have to resend it anymore. Unless ofc you're saying someone was sending it *with each* request...
zemaitis7My local ISP was saving their database backups in an unprotected folder which was literally domain.com/backups...
PonySlaystation9There was a time in Windows 95, where during login, you could just press cancel and you were logged in without...
Angry8Oh you'll love this. A master password to access any user. Something like: const masterpassword = <dayABCyear...