Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "server hijacking"
-
My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.
For the record, user levels were normal user, general admin and super admin (he was the only super admin).
Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.
Then I started.
Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.
Explained him where he went wrong and he wrote a patch under my guidance 😃.
That felt so fucking awesome.5 -
WTF! over 5000+ attempts in less than 3 hours. Some bitch trying to hijack me machine!
Am i the only one experiencing this shit?27