Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
!Story
The day I became the 400 pound Chinese hacker 4chan.
I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.
They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...
And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.
So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.
I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.
After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.
I then minify the whole thing and stash it in the minified jquery file.
So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.
Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.
So we GIVE the penetration team login credentials... they log in and start trying to crack it.
I sit and wait. Grinning as fuck.
Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.
We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.
"We think you may have been compromised by a Chinese hacker!"
I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.
My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.
If only it was more common to use video in these calls because I WISH I could have seen their faces.
Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.
Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.
9 -
Greetings from Denmark! Thought I would join after a lot of lurking, and tell a little story, as to how I fucked up when I started in my company.
I've been there around 10 days and had never used git besides just add, commit, and push. I was told to work in feature branches, and I did, I was playing around trying to learn, and got some merge conflicts, made a lot of unnecessary commits etc. I was told to clean it up before I merged into dev. And as I didn't know git I asked how I could do that. I was told I could force push in my branch, and that it was okay as long as it was only inside my branch. I tried that and saw my command line force pushing to all branches including dev, and master. My heart skipped a couple of beats, and I went directly to my Lead developer and asked what happend. He got a bit mad at me for pushing in dev and master, and override all the commits there had been made. I tried to explain I didn't he did not really believe me, I was so nervous. Luckily everything came back to normal with people's local branches being pushed etc. But that day I learned about git's push matching config, and my lead was luckily only mad in the heat of the moment and even apologized for getting mad. Just one of my little fuck up's in my short time as a developer7 -
You know what I really like? When apps override the scrolling behaviour...
Yes, I really want you to disable my scrolling settings and enforce your own goddamn scrolling logic, it's so great to have shit I'm used to being forcibly removed from me.
Biggest surprise is the latest place I've seen this is Unreal Engine :O Scrolling the news in the launcher is slow as fuck.2 -
PM tells me to merge (large feature) work that's heavily under WIP.
In that is a performance optimisation he instructed (with an aggressive DM) me to stop looking at even though it's a concern for larger clients that I had to fix before as it's "unnecessary" - thought whatever I'll leave the code as is then
I tell him him the PR is not ready yet, there is still a lot of clean up to and tests to write
Just do it
A ~week later "wow you write really selfish code like look at this"
Shows a wrapper class from the optimisation with 2 properties and getters and setters (and override some of super's properties). I explain to him why it's there, "that should have been a comment". I tell him I write detailed comments as part of my refinment process which he wanted me to stop.
This is after he tried to merge a release branch into main while sneaking in some "corrections" and I pointed out it breaks Dev.1
Top Tags
Weekly Rant
View