Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "403"
Me: I can't access the VPN
Network team: You have to create a user incident
My browser: 403
Network team: Yeah you need to be on the VPN to access the incident system
Dear nerds from all over the world,
We get it. 404 pics are funny.
But did you know there other status codes too?
204 - No Response
301 - Moved
302 - Found
400 - Bad request
401 - Unauthorized
402 - Payment Required
403 - Forbidden
501 - Not Implemented
502 - Service Temporarily Overloaded
I'm sure you'll also find funny situations with these.
Thanks. We're the best!26
It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.
The following has played out at more than one company:
App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up
*msg service team*
Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."
Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.22
> "403 Forbidden: The server understood the request, but is refusing to fulfill it."1
So I went for a movie last night in one the biggest malls in my city and this is what I found.
This is the pic of one of those touch screen monitors they have for information..
Come on guys.9
So I was asked to create a new feature for an API.
I warned the client by email that it would make them unable to use an existing API call, and that it would always return 403 forbidden to them. They said okay.
I implemented the feature. Two weeks later I get an email: "Why doesn't the API work anymore? We keep getting 403 messages"
Long rant ahead.. so feel free to refill your cup of coffee and have a seat 🙂
It's completely useless. At least in the school I went to, the teachers were worse than useless. It's a bit of an old story that I've told quite a few times already, but I had a dispute with said teachers at some point after which I wasn't able nor willing to fully do the classes anymore.
So, just to set the stage.. le me, die-hard Linux user, and reasonably initiated in networking and security already, to the point that I really only needed half an ear to follow along with the classes, while most of the time I was just working on my own servers to pass the time instead. I noticed that the Moodle website that the school was using to do a big chunk of the course material with, wasn't TLS-secured. So whenever the class begins and everyone logs in to the Moodle website..? Yeah.. it wouldn't be hard for anyone in that class to steal everyone else's credentials, including the teacher's (as they were using the same network).
So I brought it up a few times in the first year, teacher was like "yeah yeah we'll do it at some point". Shortly before summer break I took the security teacher aside after class and mentioned it another time - please please take the opportunity to do it during summer break.
Coming back in September.. nothing happened. Maybe I needed to bring in more evidence that this is a serious issue, so I asked the security teacher: can I make a proper PoC using my machines in my home network to steal the credentials of my own Moodle account and mail a screencast to you as a private disclosure? She said "yeah sure, that's fine".
Pro tip: make the people involved sign a written contract for this!!! It'll cover your ass when they decide to be dicks.. which spoiler alert, these teachers decided they wanted to be.
So I made the PoC, mailed it to them, yada yada yada... Soon after, next class, and I noticed that my VPN server was blocked. Now I used my personal VPN server at the time mostly to access a file server at home to securely fetch documents I needed in class, without having to carry an external hard drive with me all the time. However it was also used for gateway redirection (i.e. the main purpose of commercial VPN's, le new IP for "le onenumity"). I mean for example, if some douche in that class would've decided to ARP poison the network and steal credentials, my VPN connection would've prevented that.. it was a decent workaround. But now it's for some reason causing Moodle to throw some type of 403.
Asked the teacher for routers and switches I had a class from at the time.. why is my VPN server blocked? He replied with the statement that "yeah we blocked it because you can bypass the firewall with that and watch porn in class".
Alright, fair enough. I can indeed bypass the firewall with that. But watch porn.. in class? I mean I'm a bit of an exhibitionist too, but in a fucking class!? And why right after that PoC, while I've been using that VPN connection for over a year?
Not too long after that, I prematurely left that class out of sheer frustration (I remember browsing devRant with the intent to write about it while the teacher was watching 😂), and left while looking that teacher dead in the eyes.. and never have I been that cold to someone while calling them a fucking idiot.
Shortly after I've also received an email from them in which they stated that they wanted compensation for "the disruption of good service". They actually thought that I had hacked into their servers. Security teachers, ostensibly technical people, if I may add. Never seen anyone more incompetent than those 3 motherfuckers that plotted against me to save their own asses for making such a shitty infrastructure. Regarding that mail, I not so friendly replied to them that they could settle it in court if they wanted to.. but that I already knew who would win that case. Haven't heard of them since.
So yeah. That's why I regard those expensive shitty pieces of paper as such. The only thing they prove is that someone somewhere with some unknown degree of competence confirms that you know something. I think there's far too many unknowns in there.
Nowadays I'm putting my bets on a certification from the Linux Professional Institute - a renowned and well-regarded certification body in sysadmin. Last February at FOSDEM I did half of the LPIC-1 certification exam, next year I'll do the other half. With the amount of reputation the LPI has behind it, I believe that's a far better route to go with than some random school somewhere.27
Another non programming related rant although kinda tech related.
So I work in a distribution center and today I learned box packing.
1. THEIR LEGACY ASS SYSTEM ONLY RUNS ON IE (FUCK ME IN THE ASS SIDEWAYS PLEASE).
2. SYSTEM CONSTANTLY FREEZES.
3. THE HAND SCANNERS RUN ON AN OLD FUCKING LEGACY WINDOWS (PRE 2000 I THINK) SYSTEM AND IS SLOW AS MOTHERFUCKING HELL.
Yes, it is VERY frustrating to have to work with this FUCKING SHIT THE WHOLE MOTHERFUCKING DAY.
Plus side today, the locations I had to pick from today included 200, 403 and 404. Had loads of inside jokes about not being able to find locations and not having permission etc 😆6
Poorly written docs.
I've been fighting with the Epson T88VI printer webconfig api for five hours now.
The official TM-T88VI WebConfig API User's Manual tells me how to configure their printer via the API... but it does so without complete examples. Most of it is there, but the actual format of the API call is missing.
It's basically: call `API_URL` with GET to get the printer's config data (works). Call it with PUT to set the data! ... except no matter what I try, I get either a 401:Unauthorized (despite correct credentials), 403:Forbidden (again...), or an "Invalid Parameter" response.
I have no idea how to do this.
I've tried literally every combination of params, nesting, json formatting, etc. I can think of. Nothing bloody works!
All it would have taken to save me so many hours of trouble is a single complete example. Ten minutes' effort on their part. tops.
Online applications are so much worse than the classic snail mail ones, because some companies just don't seem to give a single fuck about the quality of their application application (hehe).
This results in such joyous things like:
• "Allowed file types: doc, docx, pdf, jpg, zip"
• "Max filesize 3mb"
• "One of your files does not meet the requirements" (doesn't tell you which)
• "Upload timed out, please try again"
• 403 forbidden
• "Your account does not have the necessary permissions to upload more than 4 files at once"
• clicking the submit button leads to a 404
• "Please explain why you want to work for us." 500 character limit
• Google forms2
I’m going through the book automate the boring stuff and I’m working on the chapter with web scraping right.
Well I wanted to just count all of the comic links that are in the xkcd archive as a small exercise to help me get used to and better learn web scraping.
I go through hell trying to do this but after more than a few hours later I finally have done it I returned every link of ONLY the comics, so it was time to start counting them.
I implemented the counting. The total number as of today is 2279 and it my code counted 2278, and I started to lose it.
So I go through this motherfucker manually to see where my loops count and the count on the tags start to differ. I found it, whoever made it went from 403 to 405. The euphoria I felt for this incredibly small task was incredible. (Still haven’t pieced it together yet)
I found the email of the guy who I assume owns the site and I started writing an email that basically said “hey the count of your comics is off by one and you made me rethink existence trying to figure out why, you skipped number 404-”
I look at the gap between 403 and 405 Then the words “Error 404 Not Found” popped into my head. I proceeded to scream for a second and stopped writing the email and now I’m trying to come to terms with this.
TL:DR the guy who runs xkcd comics trolled me with a simple error 404 joke3
Sometimes I got one of these:
404 Not found
502 Bad gateway
Most of time I got a 702 Incompatible user.1
Around 2 years ago, I had first discovered DevRant.
I was an intern in a startup then, and I was working on ElasticSearch. I remember making rants about it. The internship ended. So did my relationship with ElasticSearch.
This week, a new intern joined our organisation (a different organisation). He was assigned the task of deploying ElasticSearch, with me as his mentor. All was going good, we migrated data from MongoDB to ElasticSearch and all.
Back then, I used to curse the team lead (leading a team of interns mostly), for not helping me properly...
I wanted a publicly accessible dashboard, since we can't really see the Kibana dashboard with SSH :P... So, we implemented user authentication using X-Pack security. And here we are, stuck... Again... I'm unable to help the intern. The World has come to a full circle.
PS: I have to just guide him while doing my own User Stories.
ARE YOU SERIOUS??
I never really used Facebook but I did use Instagram until around a month ago when GDPR kicked in and they asked every user about their age. For shits and giggles I entered "1 year old" which was followed by the app crashing every time I open it and on the web site a message like this:
"You are too young to use Instagram. You will have 14 days until your account gets deleted. If you think we made a mistake you can send us your personal id."
As if I sent anything personal to FB on purpose! Then so it be, I said. I downloaded my data (images and account details) and after two weeks I couldn't login anymore and I checked on a friend's phone within Instagram: My account was gone.
NOW LOOK WHAT I GOT TODAY:
A NEWSLETTER from Instagram! "Check out new posts by X, Y and 8 others!"
Now, these aren't new... I would get these emails when I havent logged in for a while. But seriously? My accounts should be GONE!
Sooo I logged in again. And when I tried I got this (freely translated):
"Apparently, you requested to delete this account. For more information, visit the help area: http://help.instagram.com/ (403) (/accounts/login/ajax/)"
So that's it. Yeah sure, "deleted". I didn't request the delete, Instagram did so on it's own. So it doesn't even listen to it's own commands...
Guys, where is this world heading5
Not much of a haxk, just a stupid thing that works.
In my hs videogame programming class, the teacher has this program called LANSchool (most of you have heard of it) which he used to restrict apps/browsers to the point of uselessness . He didn't (and still doesn't) know anything about the stuff he 'teaches', most is tought by TAs.
Here's the dumb part: he WHITELISTED APPS. A friend, one of the TAs, figured out that if you rename something 'Google Chrome', lanschool wouldn't care. So I got Chromium (for unblocked internet) and switched its blue icons in the exe for original chrome icons, then renamed it 'Google Chrime'. Woo.
LANSchool is such a bad program (you can even unblock a site by spamming the F key for refresh).
The teacher did, and still does, treat the TAs like trash. He's a babysitter while students listen to online vids and the TAs.2
I wake up to a mail saying my website is down. I visit my website and for some reason i get a 403 all of a sudden.
I get out of bed, turn on my pc, go do my stuff. When im done, it turns out Windows strikes once again!
"In cozy Robot City, robots #403 and #405 are tucked in and accounted for, but #404 is missing." Sounds like finding Nemo, but you must find 404 this time 😂
SO MAD. Hands are shaking after dealing with this awful API for too long. I just sent this to a contact at JP Morgan Chase.
1. I'm having absolutely no luck logging in to this account to check the Order Abstraction service settings. I was able to log in once earlier this morning, but ever since I've received this frustratingly vague "We are currently unable to complete your request" error message (attached). I even switched IP's via a VPN, and was able to get as far as entering the below Identification Code until I got the same message. Has this account been blocked? Password incorrect? What's the issue?
2. I've been researching the Order Abstraction API for hours as well, attempting to defuddle this gem of an API call response:
NOWHERE in the documentation (last updated 14 months ago) is there any reference to this^^ error or any sort of standardized error-handling description whatsoever - unless you count the detailed error codes outlined for the Hosted Payment responses, which this Order Abstraction service completely ignores. Finally, the HTTP response status code from the Abstraction API is "200 OK", signaling that everything is fine and dandy, which is incorrect. The error message indicates there should be a 400-level status code response, such as 401 Unauthorized, 403 Forbidden or at least 400 Bad Request.
Frankly, I am extremely frustrated and tired of working with poorly documented, poorly designed and poorly maintained developer services which fail to follow basic methodology standardized decades ago. Error messages should be clear and descriptive, including HTTP status codes and a parseable response - preferably JSON or XML.
This whole piece of garbage is junk. If you're big enough to own a bank, you're big enough to provide useful error messages to the developers kind enough to attempt to work with you.2
just found out a vulnerability in the website of the 3rd best high school in my country.
TL;DR: they had burried in some folders a c99 shell.
i am a begginer html/sql/php guy and really was looking into learning a bit here and there about them because i really like problem solving and found out ctfs mainly focus on this part of programming. i am a c++ programmer which does school contest like programming problems and i really enjoy them.
now back on topic.
with this urge to learn more web programming i said to myself what other method to learn better than real life sites! so i did just that. i first checked my school site. right click. inspect element. it seemed the site was made with wordpress. after looking more into the html code for the site i concluded all the images and files i could see on the site were from a folder on the server named 'wp-content/uploads'. i checked the folder. and here it got interesting. i did a get request on the site. saw the details. then i checked the site. bingo! there are 3 folders named '2017', '2018', '2019'. i said to myself: 'i am god.'
i could literally see all the announcements they have made from 2017-2019. and they were organised by month!!! my curiosity to see everything got me to the final destination.
with this adrenaline i thought about another site. in my city i have the 3rd most acclaimed high school in the country. what about checking their security?
so i typed the web address. looked around. again, right click, inspect element and looked around the source code. this time i was more lucky. this site is handmade!!! i was soooo happy because with my school's site i was restricted with what they have made with wordpress and i don't have much experience with it.
amd so i began looking what request the site made for the logos and other links. it seemed all the other links on the site were with this format: www.site.com/index.php?home. and i was very confused and still am. is this referencing some part of the site in the index.php file? is the whole site written inside the index.php file and with the question mark you just get to a part of the site? i don't really get it.
so nothing interesting inside the networking tab, just some stylesheets for the site's design i guess. i switched to the debugger tab and holy moly!! yes, it had that tree structure. very familiar. just like a project inside codeblocks or something familiar with it. and then it clicked me. there was the index.php file! and there was another folder from which i've seen nothing from the network tab. i finally got a lead!! i returned in the network tab, did a request to see the spgm folder and boooom a site appeared and i saw some files and folders from 2016. there was a spgm.js file and a spgm.php file. there was a contrib, flavors, gal and lang folders. then it once again clicked me! the lang folder was las updated this year in february. so i checked the folder and there were some files named lang with the extension named after their language and these files were last updated in 2016 so i left them alone. but there was this little snitch, this little 650K file named after the name of the school's site with the extension '.php' aaaaand it was last modified this year!!!! i was so excited! i thought i found a secret and different design of the site or something completely else! i clicked it and at first i was scared there was this black/red theme going on my screen and something was a little odd. there were no school announcements or event, nononoooo. this was still a tree structured view. at the top of the site it's written '!c99Shell v. 1.0...'
this was a big nono. i saw i could acces all kinds of folders. then i switched to the normal school website and tried to access a folder i have seen named userfiles and got a 403 forbidden error. wopsie. i then switched to the c99 shell website and tried to access the userfiles folder and my boy showed all of its contents. it was nakeeed naked. like very naked. and in the userfiles folder there were all, but i mean ALL files and folders they have on the server. there were a file with the salary of each job available in the school. some announcements. there was a list with all the students which failed classes. there were folders for contests they held. it was an absolute mess and i couldn't believe it.
i stopped and looked at the monitor. what have i done? just to learn some web programming i just leaked the server of the 3rd most famous high school in my country. image a black hat which would have seriously caused more damage. currently i am writing an email to the school to updrage their security because it is reaaaaly bad.
and the journy didn't end here. i 'hacked' the site 2 days ago and just now i thought about writing an email to the school. after i found i could access the WHOLE server i searched for the real attacker so if you want to knkw how this one went let me know in the comments.
sorry for the long post, but couldn't held it anymore12
Has any of you reached a point that you want to resign from work because of a client?
We are dealing with a client at work that uses the app for prototyping instead of making designers create wireframe, imagine the amount of code to write,edit, remove, write it again and yet there is always something isn't right from the client point of view.
What is even worse backend guys screw the server and I am the one to be blamed for errors: 5xx
I even get blamed for error 400 (bad request) when that request passes tests but out of a sudden server returns 400, when you hit refresh the exact same moment of error and server decides to return data and stop throwing error 400.
I also get blamed for server fails to return data from a search endpoint, and if server throws 403 for a public endpoint.
This isn't a rant or getting out of my system but I need opinions, I've been working on this project for a year, with complete mess from either client or backend team, if any of you is instead of me, what would you do?
I'm not a complete guy either, but that situation is just beyond my abilities to handle.6
Google has a really strange idea of what a rate limit is.
I’m trying to feed a few hundred URLs into the link shortener service. Docs say “1m a day, 1 req per second per user.”
No problem. Put a 1.2s sleep between hits.
Almost to the end... 403 rate limit exceeded.
Stop turning off the monitors. That doesn't sign you out or turn off the computer, it just makes the next person wonder what's taking so long.1
Imagine requesting something from a girl/boy you're interested in, and getting replies in Http codes...
What are the funniest?
402: Payment required
Change code here, 500
Revert and change code there, 403
Revert and change code at both the places, 404
Revert and have a Potato
Got my new pc up and running, asrock x370 killer sli/ac mobo, ryzen 2200g cpu and radeon rx550 with 12g ram (don't ask). Nothing fancy but sure beats my old am2 system! New pc is so quiet :D9
A common walkthrough with Laravel deployment:
1.) Error 403
2.) Internal server error 🤔
3.) bad require paths in index.php....
4.) Whooops something went wrong.. What?.... Look at log file with 2MB size
5.) View not found1
1337 haxxor here! jk, but its fun to analyze the sourcecode of a streaming site to find the video source giving a 403 error on direct download unless i force the beforeload-adress as a referrer. quite the feeling like my first ftp-download album back in the days.
i know i am childish.1
Employee at leasing office told that they have apartments 401 and 403 available. I have asked for 200 !!2
Anybody else really annoyed at all these people getting mad at zuckerburg? Like, I've always questioned privacy of the internet in general. If you're dumb enough to put sensitive info on the internet (especially on social media) then you shouldn't have the right to complain about privacy. It's your responsibility to protect your information.4
While working with Django Rest Framework, the Post and Delete requests were giving me 403 error. With no help from stack overflow, I decided in vain to check it with Firefox browser instead of Chrome.
IT FUCKING WORKS ON FIREFOX!! HOW THE FUCK??
Things like this are responsible for my mid life crisis.10
A Yahtzee game.
In fewer lines than my first try in 2010.
Fyi... It was like only 15 thousands line with if else statements .... Nuthin much.1
Have anyone in Norway/Scandinavia ordered a devduck/apparel from the swag store and can tell me how long it did take? Want to order one, but not until at the start of next year.
2 days hard thinking why my prepared statement not saved to the database, until I found this
And I only put the parameter with ADDATA
How beautiful my life. Thanks ADDDDDDDDDSDDDDSSDDSDDDDDDSDDDDDDATA1
npm ERR! publish Failed PUT 403
npm ERR! code E403
npm ERR! You cannot publish over the previously published versions: 1.1.69. : weschemajs
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/lopu/.npm/_logs/2018-09-29T11_20_28_594Z-debug.log
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! firstname.lastname@example.org run: `./src/index.sh`
npm ERR! Exit status 1
npm ERR! Failed at the email@example.com run script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/lopu/.npm/_logs/2018-09-29T11_20_28_638Z-debug.log
lopu@lopu-pro:~/Dropbox/git/weyoume/wepublish/dev-wepublish$ npm view weschemajs version
lopu@lopu-pro:~/Dropbox/git/weyoume/wepublish/dev-wepublish$ npm view weschemajs version
Ok, so for past 1 whole day I am trying to make vhost work on my brand new laptop, running Ubuntu 16.04 LTS... When I installed OS, I've set hard disk encryption, and on top of it - user home folder encryption. Don't ask me why I did both.
Setting up vhost is simple and straight forward - I did it hundreds, maybe thousands of times, on various Linux distros, server and desktop releases alike.
And of course, as it usually happens, opposed to all logic and reason - setting up virtual host on this machine did't work. No matter what I do - I get 403 (access not allowed).
All is correctly set - directory params in apache config, vhost paths, directory params within vhost, all the usual stuff.
I thought I was going crazy. I go back to several live servers I'm maintaining - exactly the same setup that doesn't work on my machine. Google it, SO-it, all I can see is exactly what I have been doing... I ended up checking char by char every single line, in disbelief that I cannot find what is the problem.
And then - I finally figured it out after loosing one whole day of my life on it:
I was trying to setup vhost to point to a folder inside my user's home folder - which is set to be encrypted.
Aaaaaand of course - even with all right permissions - Apache cannot read anything from it.
As soon as I tried any other folder outside my home folder - it worked.
I cannot believe that nobody encountered this issue before on Stackoverflow or wherever else.9
I hate AWS sometimes, their error codes and messages for s3 is a whole load of bullshit.
do getObject on a file that doesn't exist that's 403: AccessDenied: Access Denied
do a headObject on a file that doesn't exist
4.3: Forbidden: null1
when one tool says your site is 200 from chinese IPs, but another says its 403 for the same IPs...
which one is it?