70
runardev
33d

Great news, our company's has a brand new security-first product, with an easy to use API and a beautiful web interface.

It is SQL-injection-enabled, XSS-compatible, logins are optional (if you do not provide a password, you are logged in as admin).

The json-api has custom-date formats, bools are any of "1", "0", 1, 0, false or null (but never true). Numbers are strings or numbers. Utf-8 is not supported. Most of our customers use special characters.

The web interface is using plain bootstrap, and because of XSS it is really easy to customize everything.

How the hell this product got launched is beyond me.

Comments
  • 19
    Holy shit!

    Are you sure this is not an OWASP "don't do this shit" demo?
  • 2
    This exists? In a production environment?
  • 11
    @magicMirror nope, this is sadly real. Some new guy managed to convince management that the old service was shit and that he could rewrite all the functionality in no time.

    All other devs are bashing it, but management is convinced that we are just jealous because the service is so much faster (which it isn't).

    We have shown at different occations how easy it is to «hack» into the service. The creator say that is OK since it is not finished. But then they launched the service without fixing any of it.
  • 2
    @ars1 yup, just launched.
  • 5
    @runardev can you agree with the managment to have a live demonstration on the prod system where you manipulate the data of the person who written it?
    My plan for an perfect event would be this:
    1. He verifies that the system is untampered.
    2. You log in as the unprotected admin and talk what you just make, like in a youtube lets play of an game.
    3. Ask one of the managment to log in via the unprotected admin to change things he wants to do.

    I recommend that if its possible to use from the internet to use an pc that only has access to the internet.
    And make a backup before this.
  • 2
    @runardev and after that help him after that to repair/secure the system. The best way is to help him to fix ghe mistakes so he ca learn or the managment will think that you are mobbing him.
  • 5
    @stop yeah, I think there will be some more attempts like this the coming week. At the moment, we are a bit flabbergasted.

    Oh well, integration-testing are a bit easier when access-tokens are simply '1=1--
  • 16
    If this thing processes customer data and you live within an area where the GDPR holds, you should alert management that they are setting the company up for hefty GDPR fines.
  • 4
    extensible by default by any customer. I like it.
Add Comment