This was actually written by a Junior of mine (and if it wasn't for me having to review it, it would have made it to production):
- Admi password was just an MD5 in the javascript.
- Javascript would validate the password input.
- Javascript would then send a POST request to a PHP script.
- On display, the HTML of the news article wasn't HTML escaped.

My brain: "Let's just send this XSS vector to this PHP script"

  • 3
    You'd hope you'd have some authentication framework or some system for a jr to hook into rather than ... kinda roll their own as a jr.
  • 3
    Well, there's a reason he's junior.
  • 3
  • 1
    @N00bPancakes Well... that's were the fun starts really :p

    A *junior* was treated as if he/she were to be a great developer already.

    So unlike most sensible companies were a junior would be put into a team with mediors and possibly a senior, the company I worked for went like: "Here, have this entire project on your own. We want it to be up and running within 3 months, have fun!"...

    needless to say, our management was a bunch of bonobos.
Add Comment