Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
runardev2224y@magicMirror nope, this is sadly real. Some new guy managed to convince management that the old service was shit and that he could rewrite all the functionality in no time.
All other devs are bashing it, but management is convinced that we are just jealous because the service is so much faster (which it isn't).
We have shown at different occations how easy it is to «hack» into the service. The creator say that is OK since it is not finished. But then they launched the service without fixing any of it. -
stop68024y@runardev can you agree with the managment to have a live demonstration on the prod system where you manipulate the data of the person who written it?
My plan for an perfect event would be this:
1. He verifies that the system is untampered.
2. You log in as the unprotected admin and talk what you just make, like in a youtube lets play of an game.
3. Ask one of the managment to log in via the unprotected admin to change things he wants to do.
I recommend that if its possible to use from the internet to use an pc that only has access to the internet.
And make a backup before this. -
runardev2224y@stop yeah, I think there will be some more attempts like this the coming week. At the moment, we are a bit flabbergasted.
Oh well, integration-testing are a bit easier when access-tokens are simply '1=1-- -
If this thing processes customer data and you live within an area where the GDPR holds, you should alert management that they are setting the company up for hefty GDPR fines.
-
witchDev7643yWtf!! Reading all that honestly gave me so much anxiety and now i have to go the toilet.
Great news, our company's has a brand new security-first product, with an easy to use API and a beautiful web interface.
It is SQL-injection-enabled, XSS-compatible, logins are optional (if you do not provide a password, you are logged in as admin).
The json-api has custom-date formats, bools are any of "1", "0", 1, 0, false or null (but never true). Numbers are strings or numbers. Utf-8 is not supported. Most of our customers use special characters.
The web interface is using plain bootstrap, and because of XSS it is really easy to customize everything.
How the hell this product got launched is beyond me.
rant