Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "pen test"
-
Worst legacy experience...
Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.
Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.
The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.
Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).1 -
A client was talking to me all day asking about my "hacking" experience.
I taught he was going to ask for a pen test for his trampoline website. At the end of the day, he revealed he wanted me to hack the "competition's databases" so he can promote his "very unique trampoline accessory".
Guess what happened? Nothing, cause fuck legal trouble!7 -
In a moment of boredom I decided to pen test the new system I've been writing on the live server. Ran sqlmap but forgot to proxy my connection.
DDOS protection kicked in and blocked the entire offices connection to the server, had to drive home quickly to use my home internet to un-blacklist my office ip. 😂10 -
Spent all day on this.
Debugging hardware is fucked man...
Me proud.
Wanted to make a devrant logo like always (its my Hello world to test my CNCs now).
And.... When I finally had the machine calibrated... The pen stopped working lol.
I'll just continue tomorrow, it's finished...
Probably gonna use a few times and make a bigger one.26 -
I'm currently one of two "pen testers" for the anticheat system of a game.
It all started a few days ago when the developer handed me the obfuscated package and told me to go at it. No big deal, I've bypassed it before the obfuscation, so I just changed some imports and sent in the screenshot.
Fast forward 100+ hours, it's turned into a cat-and-mouse game. He sends us (the testers) an update, we break it within hours. We show him what we exploited and he attempts to fix it. Rinse and repeat.
Finally, today he patched the one hole that I've been using all this time: a field in a predictable location that contains the object used for networking. Did that stop me? No!
After hours of searching, I found the field in an inner class of an inner class. Here we go again.3 -
Do anybody remember when i wrote a rant about the IT teacher in my high school?
Few months ago we got the results from final exams! (we have precentage based grades)
Another thing to remember:
You can pick basic or extended version of the every test you take.
Everybody has to get at least 30% on basic exams (they are nessesary for everybody) to graduate from the school. The extended exams give you more points at university and they are not mandatory.
In addition to that extended ones dont have the lower limit
The IT exam has only the extended version (because its not mandator, you pick it yourself). It is pretty easy: just basic algorithms, basic C++ programs and general PC things.
I didnt take the IT class because i thougt i can learn much more at home. My friend took it. He is very good. He uses linux he wants to become a pen tester. I know he is worth getting 100% on that extended IT exam. (We did a lot of projects thogether)
Well... NOBODY GOT MORE THAN 20% on that exam! WTF!
That POS teacher should die in that win xp IT class with all ethernet cables stuck in his ass!
He didnt teach anything useful about algorithms to anybody! And that was the easiest and the most important part on the exam!
In addition to that people had to do few tasks on pc as well! And one of those tasks could been a picture in gimp BUT THE GIMP DIDNT EVEN WORK ON THOSE PC'S!
Algorithms are easy! That son of a twat didnt even understand it himself! That is why im telling everybody in my town to NOT go to that hight school for IT exam!
I dont want anybody to waste their life trying to learn something useful when that fucking bitch dosent understand anything!
That teacher is lucky. My friend got rejected from studing CS on university (due to the shit score) but he at least got accepted to study math.
I hope he will be able to continiue his dev dream.3 -
coolest bug our team had was not a actually a bug but a feature that is misused and abused.
tldr: its a feature that became a bug
we have an app that has a "test print" feature to test the printer and the format of the document to be printed. it has the word TEST for fields and all that.
it became a bug when suddenly, the users use that feature to print documents, instead of using the app with the business rules and all, and just manually strike off the TEST words with a pen.
the feature became a bug because it has become a security risk. -
TLDR;
How much do you earn for your skill set in your country vs your cost of living?
BONUS;
See how much I & others earn.
Recently I became aware of just how massive the gap in developers earnings are between countries. I'd love to calculate a fixed score for income vs cost of living.
I know this stuff is sensitive to some so if you prefer just post your score (avg income p/m after tax / cost of living).
I'm not shy so I'll go first:
MY RATES
Normal Rate (Long term): $23
Consulting / Short term: $30-$74
Pen Test: $1500 once off.
Pen Test Fixes: consulting rate.
Simple work/websites: min $400+
Family & Friends: Dev friends are usually free (when mutually beneficial). Family and others can fuck off, even if they can pay (I pass their info to dev friends with fair warning).
GENERAL INFO
Experience: 9 years
Country: South Africa
Developer rareness in country: Very Rare (+-90 job openings per job seeker).
Middle class wage in country: $1550 p/m (can afford a new car, decent apartment & some luxuries like beer/eating out).
Employment type: Permanent though I can and do freelance occasionally.
Client Locality: Mostly local.
Developer Type: Web Developer (True web dev - I do anything web related from custom HTTP servers to sockets, services, advanced browser api's, apps & more).
STACKS / SKILLSETS
I'M PROFICIENT IN:
python, JavaScript, ASP classic, bash, php, html, css, sql, msql, elastic search, REST, SOAP, DOM, IIS, apache
I DABBLE WITH:
ASP.net, C++, ruby, GO, nginx, tesseract
MY SPECIALTIES:
application architecture, automation, integrations, db's, real time data, advanced browser apps/extensions (webRTC, canvas etc).
SUMMARY
Avg income p/m after tax: $2250
Cost of living (car+rent+food): $1200
Score: 1.85
*Note: For integrity when calculating my cost of living I excluded debt repayments and only kept my necessities which are transport, food & shelter.
I really hope you guy's post your results, it would be great to get an idea of which is really the worst / best country to be a developer in.20 -
I wrote some simple pen test scripts that automatically get executed on every ip in my fail2ban log.
Ip count: 2500+ in a few days. Probably victims of botnet. Some have mysql, postgres, smb open and many of them support user/pass auth on their ssh.
The scripts were a lot of fun to write but I don't expect much results.5 -
Not a part of the test, but the test itself.
Imagine having to write in a language you don't really know with a pen and paper.
Glad I didn't get the job there because holy moly was that a pain in the ass.1 -
I just saw this rant: https://devrant.io/rants/841846/ which gave me flashbacks of my first programming class using C#.
Our professor made us write for the whole semester our code using a pen and paper (for tests).
Her grading was "easy." She would write the code in the computer exactly as we wrote it. If it compiles, you got an A, if not, you got an F.
The average test would take at least 5 pages...
Overall it was an interesting class, and I have to admit that I learned a lot.5 -
Coding would be fun right now.
But seems like i gitta do a night shift to rock network technology test tomorrow. The most annoying thing about this test is, that we have to calculate ip addresses by hand. Not too hard, but damn.. We are not allowed to write it down in hex, only binary (while calculating). And he wants to see interim steps in our calculations.. Even with IPv4 addresses it will be a great amount of 0s and 1s to write.
I better look for a second pen to take with me..1 -
Is there a service, or forum, where you can ask people to try to break into your software for free?
Stupid as that is, I kind of want a beginner security guy to pen test my server. Eventually I'll shell out cash for a real review, but I'd like a lite one now. 😔15 -
Since I started my routine of checking bug logs every morning, I've had 2 instances where a website vulnerability scanner was run against a production website and generated over 2,000 Coldfusion errors.
At the time, I was super nervous about the apparent hack attempt, and hyped that the attackers never actually got in. It's nice to know that despite the various errors indicating vulnerable / breakable code, they were ultimately unsuccessful. I know now that a determined attacker could probably have wrecked our production websites. Since then I've made a ton of security-related updates and I'm actually thankful for the script kiddie getting my attention with that scan.
PS. We're now building a website for a local security company who is going to work with us to pen test the site when it's finished! Gulp.4 -
Been working on pen testing an old ass web app written in a combination of 4 languages with the primary being asp, serious question for the older generation was concatenating SQL statements ever best practice or are the mob that wrote this just useless?
-
!rant
Well not really a CS teacher but it did happen to me during my uni days.
I had joined a marketing class as an elective since my Information Systems degree did have some business related stuff thrown in there.
One day the lecturer strutted in all smug and told us to take out a sheet of paper and we were gonna have a surprise test.
He has the test on a pen drive , apparently it was just 2 open ended type questions he was gonna plug into the class pc and send it to the projector screen.
To this day i have no clue what the hell he did, but that smug bastard managed to delete the test permanently 😂
He popped it in and we saw a few files there he selected them and was about to either drag to desktop or open them , the cursor changed to the wait hourglass , he right clicked and refreshed as if it would
Do anything but .... PooF.... Bye test 👋
He took the pen drive out and plugged it in again, but couldn't find the test file
He scowled then checked the desktop and recycle bin, nope 👎
He took his pen drive and silently walked out....
The other IT students and I were in stitches 😂2 -
What the hell am I!? I wonder if you guys can help me...
I've been programming most of my life but I've never actually been a developer by title or job role. I thought maybe if I list what I do and have done someone here could help? I'm sure there are more of you in a similar boat.
- C# and VB dev for some quick DBMS projects to help me understand and mine databases and create a nice simple view for project teams to show findings from the data to help make certain decisions.
- Automating a lot of my colleagues work with Python and if very restricted then just VBA macros in Excel and MSP. This did also include creating tools to gather data during workshops and converting the data for input into other systems.
- Brought Linux to the office with most team members now moving over to Linux with the peace of mind to know that though they do need to try solve their own problems, I can help if need be.
- Had to learn AWS and then implement an autoscaling and load balanced data center installation of a few Atlassian toolsets.
- Creating the architecture diagrams documentation needed for things like the above point.
- Having said that, also have ended up setting up all the Jira/Confluence etc. servers we use and have implemented so far whether cloud (Azure/AWS) or on prem and set up scripts to automate where possible.
- Implemented an automated workflow view in SharePoint based on SP list data and though in an ASPX page, primarily built in JS.
- Building test systems in PHP/JS with Laravel and Angular to help manage integration between systems. Having quite a time right looking into how to build middleware to connect between SOAP and REST API's, the trouble caused more by the systems and their reliance on frameworks we're trying to cut out of the picture.
- Working on BI and MI and training a team to help on the report creation so that I can do the fun creative stuff and then set them to work on the detail :)
Actually it seems safe to say that it seems that though I've finally moved into a dev office (beforehand being the only developer around) I seem to be the one they go to when a strategic solution is needed ASAP and the normal processes can't be followed (fun for someone with a CompSci degree and a number of project management courses under the belt... though I honestly do enjoy the challenges)
But I always end up Jack of all but master of, well hopefully some at least. let's not even get started on the tech related hobbies from circuit design and IoT to Andoid / iOS and game dev and enjoying a bit of pen testing to make sure we're all safe at work and at home.
As much as I don't like boxes, I'm interested to know if there is in fact a box for me? By the way, the above is just a snapshot of my last two years minus the project management work...2 -
Going to do our first social engineering pen test. We're setting up a general plan and we'll call for a meeting with a company next week. Any tips?5