Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
!Story
The day I became the 400 pound Chinese hacker 4chan.
I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.
They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...
And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.
So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.
I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.
After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.
I then minify the whole thing and stash it in the minified jquery file.
So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.
Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.
So we GIVE the penetration team login credentials... they log in and start trying to crack it.
I sit and wait. Grinning as fuck.
Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.
We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.
"We think you may have been compromised by a Chinese hacker!"
I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.
My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.
If only it was more common to use video in these calls because I WISH I could have seen their faces.
Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.
Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.
9 -
For fucks sake, just because you don't know anything besides JS, you don't have to constantly complain how it's "so fucked up"!
Yeah there's a lot of frameworks. So what? Python has 50+ wsgi frameworks just for server-side apps, Linux has literary hundreds of desktop environments, C++ has over 30 actively-developed UI frameworks, and let's not even get started on CMSs or game engines. And each language comes with its own dependency management or two, NPM discourages static linking & bundling dependencies until the very end, while some others only recommend dynamically linking widely-available dependencies & always bundling the remaining ones.
Software development is constantly evolving, and for most time there's no right or wrong approach. And when one approach is chosen over another, there's a reason for that. Imagine you just found a perfect library for your use case, but some idiot decided to only offer minified code with bundled jQuery? Or a different idiot made it impossible to have multiple versions of a dependency on your system without resorting to one of various third-party hacks?
Every language has a ton of various frameworks & libraries that ultimately do the same thing, every language has a bunch of design choices you probably don't understand at first, and every language was made with a purpose and the fact that you're using it proves it achieved that.
Last but not least, all devs had to learn about quirks in various languages, and they're fucking tired when someone who barely knows a language tries to act smart going "ahaha how the fuck 0.1 + 0.2 isn't 0.3".10 -
I recently ranted so much about languages but here it goes
JS we need to talk. BECAUSE YOU GOT FAT AND UGLY STUPID BITCH! Dumb piece of bloatware. What even is your problem? Depending on a library for strpad and then blow up like Steve jobs ego. Bastardized fuckfest. I used to like you bro and then you screw me over!
It's like you fuck my wife while I try to fix your car. Why can't you even be usefully on your own anymore? I'd be richer than bill gates if I get a dollar for every damn framework people pull from their asses. Are you writing this fuck while shitting so you can compare colors of your outcome?
Normalize the fucking base, don't add to the bukkakke! bitch is drowning already. Why is everyone jerking of to react and angular? When have YOU written something in vanilla the last time? Why even bother? Remove the core and hardcore every damn framework into the browsers. Guess that saves you 200kb. Oh wait I forgot that's about unminified jQuery.
Now I need to load about 2GB of dependencies, some creating code that puts code in my code to load code out of my code which was generated out of something that remotely resembles JS so every browser is able to execute my fancy shit. But hey, it's fast. And of course there are the fanboys. You are worse than apple fags. You sample your own jizz with your friends in a wine glass. there was a Time it was bad practice to mix logic and view. Now you made it mandatory. "Browser does the rendering" ofc you imbecile pile of fuck don't show me a damn preloader for 1 picture and 20 lines of text. Who fucked your brain so hard?
So react seems to be the cool kid now, then I tell someone I know angular it's like showing up in a pikachu onsie to a formal dinner with the queen.
I used to love you girl. I loved how we could dirty things together. Now you are like a pig. Please loose weight bby the sight of you disgusts me nowadays2 -
OMFG. Here's a self-rant for you all...
So, working on a JS library to build widgets, I five across some weird behaviour where I expect `$.ajax.apply()` to pass something to the chained `.done()` method, but it comes out differently.
Fuck. Right, time to visit StackOverflow and glean some knowledge.
I post a question, complete with examples and descriptions and a little midget unicorn in the corner for world peace.
Come back a bit later to see what's happened, and nobody understands my damn question!
So I proceed to debate a few points with some other devs, going back and forth for a while, but still nobody knows what I'm asking.
Fuck. Time for a JSFiddle...
Copy code from the jQuery docs and start modifying it to show what I was working with... Now suddenly is all working as the docs say.
O.o
So I go look back at my own code again to try work out what's actually going on.
Turns out I completely missed MY OWN CODE.
Fuck me.1 -
Fuck jQuery. The only reason I see anyone using it legitemately is because of backwards compatibility. Almost every jq method is either native js or native css. The problem is, some devs become practically dependent on a library. By then, they are no longer js devs. They are jQuery devs. When you find yourself going to the docs of a lib before native methods 9 times out of 10 you've gone past the turning point. When you find yourself including jQuery instinctively, you're gone. StackOverflow is a great example of this:
Question - 1 up
Pure JS answer - 0 ups
jQuery answer (same length) - 2 ups and accepted
Come on man. It's 2018! We shouldn't be writing jQuery anymore. Native methods ftw!15 -
So i'm visiting the JavaScript bubble every now and then when i'm writing on the userscript i develop to fix bugs in our ticketing system or fix some clients website they negelected. Every time i'm searching for answers to the weird problems that inevitably turn up i have to filter out all the threads that derail with the classic 'google jQuery basic arithmetic plugin' craziness to find an actual vanilla solution to my problem.
All the time i wonder why on earth people put up with this framework hell. This is part serious question and part rant but seriously, how did we come to this? With all that jQuery, React, Node, whatever stuff i'm kinda losing the overview over what's even todays standard. I always try to keep my code as vanilla as possible without using external libraries. But it seems the entire web development industry is heading the completly other way. I tried to look into a few frameworks but i never really see the appeal. Just now i looked up react native because the last 20 rants talked about it and immediately noped out because they fucking create a DOM in js, why the fuck would you do this?!
Worst thing about this framework shithole is that some frameworks are beeing pulled into the mix for very weird and unnecessary reasons. Best example is a charts library i recently used to visualize a database of temperatures that was completely written in native js but pulled jQuery in for the equivalent of window.addEventListener('load',function(stuff)) and i was furious. I rewrote the code and could throw out the jQuery dependency with no problem. What the fuck is wrong with people?
Alright since you made it here: I'm not trying to throw any of you under the bus for using frameworks. I just fail to understand why you would use these. To each their own and unless your site has the performance of the ticketing system i use at work that takes like 15 seconds to load one fucking page i won't complain at all. But pull in a framework just to do a task you can easily do in native js in remotely the same timeframe you are on my list.2 -
I wrote my first proper promise today
I'm building a State-driven, ajax fed Order/Invoice creation UI which Sales Reps use to place purchases for customers over the phone. The backend is a mutated PHP OSCommerce catalog which I've been making strides in refactoring towards OOP/eliminating spahgetti code and the need for a massive bootstrapper file which includes a ton of nonsense (I started by isolating the session and several crucial classes dealing with currency, language and the cart)
I'm using raw JS and jquery with copious reorganization.
I like state driven design, so I write all my data objects as classes using a base class with a simple attribute setter, and then extend the class and define it's attributes as an array which is passed to the parent setter in the construct.
I have also populateFromJson method in the parent class which allows me to match the attribute names to database fields in the backend which returns via ajax.
I achieve the state tracking by placing these objects into an array which underscore.js Observe watches, and that triggers methods to update the DOM or other objects.
Sure, I could do this in react but
1) It's in an admin area where the sales reps using it have to use edge/chrome/Firefox
2) I'm still climbing the react learning curve, so I can rapid prototype in jquery faster instead of getting hung up on something I don't understand
3) said admin area already uses jquery anyway
4) I like a challenge
Implementing promises is quickly turning messy jquery ajax calls into neat organized promise based operations that fit into my state tracking paradigm, so all jquery is responsible for is user interaction events.
The big flaw I want to address is that I'm still making html elements as JS strings to generate inputs/fields into the pseudo-forms.
Can anyone point me in the direction of a library or practice that allows me to generate Dom elements in a template-style manner.4 -
!rant apologies
I am a third year computer science student and I'm interested to see how professionals think I stack up against grads they have worked with straight from uni.
I have spent 15 months at a web company working on bespoke solo products on LAMP stacks. I know html, css, JavaScript and its library JQuery very well (I know JavaScript is massive to be saying I know it well)
I am reasonable at PHP and MySQL. Currently I am studying node.js and building an api that mashes up data from other APIs to build a new service. I'm also working on a C# Microsoft framework bespoke website. I know git to a reasonable level - branches, merges, rollbacks and all that jazz.
I am also studying development architectures to try and be more useful.
So if you guys came across a new grad that knew HTML, css, JavaScript, JQuery, maybe angular js, PHP, basic Linux commands, MySQL, C#, dev architectures, agile methods, node.js, git and has 15 months experience working on small to medium sized solo projects would you want to hire them?
Point to note I'll probably graduate first class (80%+) from a mid range uni.
Sorry, I know this is not the place but I like this community.5
Top Tags
Weekly Rant
View