!Story

The day I became the 400 pound Chinese hacker 4chan.

I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.

They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...

And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.

So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.

I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.

After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.

I then minify the whole thing and stash it in the minified jquery file.

So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.

Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.

So we GIVE the penetration team login credentials... they log in and start trying to crack it.

I sit and wait. Grinning as fuck.

Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.

We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.

"We think you may have been compromised by a Chinese hacker!"

I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.

My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.

If only it was more common to use video in these calls because I WISH I could have seen their faces.

Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.

Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.

I think about adding a "We don't use cookies"-popup to our upcoming website rework.
Why not list other things? "We don't store your IP-address"-popup? Or "We use HTML"-popup?

I'M BACK TO MY WEBDEV ADVENTURES GUYS! IT TOOK ME LIKE 4 MONTHS TO STOP BEING SO FUCKING DEPRESSED SO I CAN ACTUALLY STAND TO WORK ON IT AGAIN

I learned that the linear gradient looks cool as FUCK. Honestly not too fond of the colors I have right now, but I just wanted to have something there cause I can change it later. The page has evolved a bunch from my original concept.

My original concept was the bar in the middle just being a URL bar and having links on the sides. If I had kept that, it would have taken me a few hours to get done. But as time went on when I was working on it, my idea kept changing. Added the weather (had a forecast for a while but the code was gross and I never looked at the next days anyways, so I got rid of it and kept the current data). I wanted to attempt an RSS reader, but yesterday I was about to start writing the JavaScript to parse the feeds, then decided "nah", ended up making the space into a todo list.

The URL bar changed into a full command bar (writing the functions for the commands now, also used to config smaller things, such as the user@hostname part, maybe colors, weather data for city and API key, etc)....also it can open URLs and subreddits (that part works flawlessly). The bar uses a regex to detect if it's a legit URL (even added shit so I don't need http:// or https://), and if it's not, just search using duckduckgo (maybe I'll add a config option there too for search engines).

At this very moment it doesn't even take a second to fully load. It fetches weather data from openweathermap, parses it, and displays it, then displays the "user" name grabbing a localstorage value.

I'm considering adding a sidebar with links (configurable obviously, I want everything to be dynamic, so someone else could use my page if they wanted), but I'm not too sure about it.

It's not on git yet because I was waiting until I get some shit finished today before I commit. From the picture, I want to know if anyone has any suggestions for it. Also note that I am NOT a designer. I can't design for shit.

Today I discovered localStorage and sessionStorage.

Thank you.

Today another story in this stupid company:
A freelancer created a feature to pay orders online . It took him 3 months (!)
Problem: sometimes people pay, but orders are not stored. Every morning, it takes 1 hour to check in db if the orders are stored, and if not, create them manualy
Yes, orders are created after payment.
Manager wants to fix it by creating the order before the payment, in 3 days (!)
Turns out that the freelancer has written a lot of obsolete code, I now have to clean up. 3 fucking months vs 3 fucking days!
And on top, the shoppingcart was stored in localstorage! (Already fixed by now)
Fuck this, I'm getting another wodka

it was not a technical interview.
just screening.

guy: tell me smth about redis.

me: key value, in memory storage.

guy: more

me: umm, the concept is similar to localStorage in browsers, key value storage, kinda in memory.

guy: so we use redis in browsers?

me: no, I mean the high level concept is similar.

guy: (internally: stupid, fail).

The platform my school is using was obviously designed and developed by people who hate students.

I've seen the teacher panel, and it looks really intuitive, allowing you to see test scores, missing assignments, attendance records easily, and it was obviously well thought-out

however, the UX as a student is a goddamn nightmare

First of all, there's like 5 different places where an instructor can post an assignment, so good luck keeping track of your work

Second of all, there's no way to sort assignments by completion status or due date. Just by when assigned

Third of all, the only way to see your grade in a class is if you dig through a series of menus and submenus and sidebars so complex and stupid it puts the Jira UI to shame

And finally, one of the 'features' of this platform is that students can submit a textbox with markdown formatting natively on the platform. And that should work great and all, but APPARENTLY THE FUCKING DEVELOPERS HAVE NEVER HEARD OF LOCALSTORAGE AND YOU JUST LOSE YOUR WORK IF YOU EVER CLOSE THE TAB FOR ANY REASON!

WITH NO FUCKING WARNING! NOT EVEN A LITTLE JAVASCRIPT ALERT OF ANYTHING!

JUST POOF! AN HOUR OF WORK GONE! YAY!

In conclusion, fuck you

"Wow, you knows how to hack the system"

Me: Well... I was one of the creators of that system...

Me inside: Please don't use localStorage ever again

Why people use cookies when you can use local storage and session storage?

It's incredible how many sites don't check / handle localStorage permissions.. they usually just completely break.

That is they use a div to block the view despite the page usually still working ..

There literally is an API to check for permissions..

So past week our Web Design teacher proposed a little HTML5 project for the class to make. I have been since that day until today trying to implement an OBLIGATORY drag and drop functionality to reorder a list and back it up to localStorage, but for some reason it wont work as it should. But what a surprise, today I arrive at class and he has changed the specifications of the project, allowing us to not implement that, or implement it differently. That singlehandledly made my day.

Here we go. GDPR(?) again.

Don't know where to ask this kind of stuff, SO is prolly too much and from my experience, you guys here always gave the best answers to stuff..

I'm currently working on a website as a project for finals (it's called Maturita/SOČ here :/) and it's supposed to be a dasboard where teachers can add some info about upcoming stuff and shit like that. Few things: No frameworks, just JS, PWA and Firebase. I've been hearing a lot of stuff about GDPR that I should comply with it and so on.

Here's the question: It's PWA and the data is currently stored in localStorage and planning to sync it to Firebase. What I store is name of the school, few URLs they enter in and the information they provide, like the upcoming events and such. Should I worry about GDPR in this case, and if so, what can I do?

So I'm looking for a tutorial somewhere to manage auth with react.

I have passport local setup with jwt in express, but looking to manage users in the front-end, managing the user state app wide, logging out, protected routes etc.

I've done some searching around but I can't see anything to concrete. Any pointers or articles would be great.

I was thinking of localStorage but not sure how to go about setting that up with react.

How Microsoft expect anyone to develop using any technology they introduce with so many limitations.
Moi a Microsoft dumb enthusiast said to myself : hey dude you are a developer stop whining about the app gap bust a move create decent array of apps and release them, went into a full project management mode wrote requirements did sketches and some prototypes, time to execute.
1. first app: image files organizer, viewer , with some light editor capabilities and album creator after some work i came to discover that you don't have a proper file system APIs to show a folder tree view in my app "WTF" there are work arounds and dirty solutions but seriously? i can only access the stupid media folders created by Microsoft and that's it.
so i ditched the apps until uwp become a development tools with target audience other than kids who eat crayons, and while using "Edge" i thought to my self : "you know what dude extensions are cool and if you do something like a speed dial it would be awesome"
fire up my text editor started writing my extension to discover that:
"you cannot use localStorage from local HTML files".
moral of the story
MS is failing with consumers not because people hate MS but rather MS hates itself like no engineer over there said to him self this is fking stupid ?
other limitations :
no proper system tray access
no registry access what so ever
and i have started 2 days ago.
yeah Ms this is the main app gap problem the uwp sucks big time. compared to android Java which has a great access to every aspect of the device even apple provide better APIs for their systems.
if uwp is MS future then rip MS.
please i stand corrected if anyone knows better.

Last fight was with a teammate. He turned so paranoic about using JavaScript. He says that using tools from the browser like localStorage id a risk and can fail easily. (The detail here is: if you ask him what is ES6, you blow his mind)

The worst thing about cookies is that almost all pages forget / don't realize you have to handle cookie ( -> localstorage ) permissions!

thanks to @olback i learned about localStorage today. excited me started to implement this. after half of the refactoring was done i had the brilliant idea to test it with the intended ie11 after everything was fine with firefox. only to find out localStorage is not supported for local sites.
fml

redux? why use redux? while you can put all global state in localstorage. (hmmm... -_-)

Since my question, in all likelihood, won't get answered on StackOverflow, I hope I can ask it here instead. I hope that's alright.

So, I am currently developing a Feathers + Nuxt boilerplate, and am using localStorage to store the jwt.
But I noticed if I set the localStorage with the jwt manually, it will act as if I'm logged in, bypassing the entire login-function. So I solved this by using an iframe with a script that clears localStorage (and log out the user, if logged in) when something changes in the localStorage (by using the eventListener "storage"). (I am also observing the iFrame if someone deletes it, in the console, and re-inserts itself).

My question is if this would carry any security risks? Like, would this be a bad thing to do, security wise? Is it alright to leave it alone and let users/visitors to set the jwt manually?

i understand way too little about web data types. while having to store a shitload of data in cookies (sorry for that, no localstorage for local sites, insensitive though) i was so proud of compressing strings with bitshifting only to find out that uriencoding bloats chinese characters massively up. fml

Just finished connecting my task manager (to-do list basically)using(angularjs,php)to my back end(it used localstorage previously now uses php and MySQL) now I can login ,register new users,create new tasks, set as priority.