Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
So one of my clients had a different company do a penetrationtest on one of my older projects.
So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.
So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.
Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.
And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.
Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.
I get a reaction. Everything is perfect now, good job!
In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD
But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.
And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.
Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.
2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.2 -
To whoever builds electron boilerplates.
STOP ADDING FUCKING JQUERRY AND WEBPACK TO THIS SHIT, I DONT EVEN USE YOUR BULLSHIT BUT OTHERS DO AND THATS WHY SO MANY ELECTRON APPS SUCK. WHO IN THEIR RIGHT MIND THINKS THAT THIS MADE SENSE PUT YOUR CSS LOADER ANAL PLUG IN TO YOUR ANUS AND BUNDLE THEM TO YOUR SINGLUAR BDSM.JS WITH BROWSER BACKFALLS AND BETTER MAKE SURE TO WHIPE YOUR DIRTY SHITFACE WITH A FULL BLOW CSS RESET BETTER MAKE SURE THERE IS NO ACCIDENTAL MOZILLA STYLE IN YOUR CHROME.3 -
Once upon a time i had a great idea.
Because i couldnt be bothered to do anything productive i created a simple app in the C# that would look into every .js file (from a game that uses it for the gui/main menu) and search for "//todo" lines.
I did it mostly for kicks. I got that idea when i encountered one //todo in a file when i was trying to mod that game.
Yes i know grep exists: fuck you.
It would have taken me more time to learn that than to write that 20 line program...
The result? Over 30 lines of //todo with some briliant pearls in the type of:
>Temp workaround because X
>Workaround for race condition
>Clean that up
>Obsolete
When i return home i will post real quotes. They might be amusing to read...
The game is based on a custom C++ engine. HTML, CSS and JS is used for main menu and some graphical interface in game.
The most amusing thing is that this inefficient sack of chicken shit is powering one of the biggest (no playerbase but unit, world, gameplay vise) rts that i have ever played.
But still in spite of a dead community, buggy gui as shit and other problems i love this game and a lot of other people love it too. It is a great game when it works correctly.
To the interested: JS portion uses jquerry and knockout lib.14 -
Let's pick a datepicker for the project. Me: jquery-ui ? Supervisor: No something better.
Jquery-ui: any css selector, standard date format masks (dd/mm/yyyy or mm-dd-yyyy....), Opens if the field is access using Tab key
Something better: only Id selector, custom date format mask ( %d/%m/%Y ...), Tab does not work -
It seems they mistaken me for italian giving me spaghetti all over the product. Go to frontend to check the app, react with weird jQuery, no routes, pages summoned by the templates that have concatenated values and html in vanilla js, changing screens/pages with jQuery, no router... ok lets see the other app, react, redux, offline capabilities and tought myself niicee hut nothing work as intended with clusterfuck of hacky workarounds that makes app look like it is working but with hardcoded data. Offline means automatic sync when you get the network back, right? Oh backend never developed any sync, so you guys can do it, we have to fix and patch some important stuff! I don't like php but whatever, let's see what is going on there... So much spaghetti bolognese there that Bologna actually called to ask if they can buy some, they are out of stock because of us!
This is just like that song mess.css from stdout, but in any file you open!
Living on deserted island eating grass and coconut for the rest of the life doesn't seem so bad atm!4
Top Tags
Weekly Rant
View