When you don't pay your full stack developers

Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

//Long rant

[Boss man]: Hey, we need you to build us a web app.

[Me]: Okay, what do you need it to do?

[Boss man]: We need staff to be able to login from anywhere, create new appointments, check room availability, display live times for the rooms, schedule future appointments, record all the data as stats and export the stats to (email address).

[Me]: Okay, sounds useful, anything else?

[Boss man]: we also need it to send all relevant data to a calendar where certain staff will be notified by email of events.

[Me]: Okay... I'll get right on starting this.

[Boss man]: So you can have it done by the end of the day? (4 hours from this time)

[Me]: *Internal screaming* *WHAT THE FUCK* Uhm, no, I don't think that is possible to complete in a four hour period by myself.

[Boss man]: Okay, well by tomorrow then, I'm leaving for the day though, have a good one.

[Me]....

//End long rant

So a user reported they couldn't login to our site, so I reset their password to:

uI+ffRT7M2NAzo8uOqzf4QxO3I9tj8PJ4TS0n8zDV7I

And sent them back an email with the updated password. A few minutes later, they replied and said that password didn't work. They even tried a different web browser, etc. I tried it myself, and sure enough, it didn't work.

I spent the next several hours trying to figure out why the password didn't save properly, or why the logic didn't compare them correctly. Perhaps it was some sort of caching issue? Oh the horror.

As it turns out, the problem was a maxlength of 28 on the login form field:

<input type="password" name="password" value="" maxlength="28"/>

I don't know who wrote that code, but it sure wasn't me.

!rant

I was in a hostel in my high school days.. I was studying commerce back then. Hostel days were the first time I ever used Wi-Fi. But it sucked big time. I'm barely got 5-10Kbps. It was mainly due to overcrowding and download accelerators.

So, I decided to do something about it. After doing some research, I discovered NetCut. And it did help me for my purposes to some extent. But it wasn't enough. I soon discovered that my floor shared the bandwidth with another floor in the hostel, and the only way I could get the 1Mbps was to go to that floor and use NetCut. That was riskier and I was lazy enough to convince myself look for a better solution rather than go to that floor every time I wanted to download something.

My hostel used Netgear's routers back then. I decided to find some way to get into those. I tried the default "admin" and "password", but my hostel's network admin knew better than that. I didn't give up. After searching all night (literally) about how to get into that router, I stumbled upon a blog that gave a brief info about "telnetenable" utility which could be used to access the router from command line. At that time, I knew nothing about telnet or command line. In the beginning I just couldn't get it to work. Then I figured I had to enable telnet from Windows settings. I did that and got a step further. I was now able to get into the router's shell by using default superuser login. But I didn’t know how to get the web access credentials from there. After googling some and a bit of trial and error, I got comfortable using cd, ls and cat commands. I hoped that some file in the router would have the web access credentials stored in cleartext. I spent the next hour just using cat to read every file. Luckily, I stumbled upon NVRAM which is used to store all config details of router. I went through all the output from cat (it was a lot of output) and discovered http_user and http_passwd. I tried that in the web interface and when it worked, my happiness knew no bounds. I literally ran across the floor screaming and shouting.

I knew nothing about hiding my tracks and soon my hostel’s admin found out I was tampering with the router's settings. But I was more than happy to share my discovery with him.

This experience planted a seed inside me and I went on to become the admin next year and eventually switch careers.

So that’s the story of how I met bash.
Thanks for reading!

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Ex-boss (who boasted 20 years of programming exp.) Would not let us work on a web project saying we didn't have enough experience and said he'd do it alone... Fast forward to 3 days before presenting to client, we get to check the log in interface and immediately find that there's no actual security, no validation... Just 2 text boxes with hard coded users and no way to add more without creating them in db... And if you knew the next page's URL you can actually skip the login... Needless to say he was removed from the project that instant and we (interns at the time) had to do everything from scratch. A 3 months project done in 2 days. Never been more stressed in my life :'(

Fuck the incompetent and "pretentious psuedo devs" !!

I have been developing a web portal for a student club for this really big company (as intern) and then they assign this fuckin group of these 4 stupid intern devs to work with me !

The fuckin tweked my code and redirected the CONTACT FORM to the fuckin LOGIN CONTROLLER !!

Then these sons of Einstein inserted dummy users without a username and password into the fuckin production site !!

Now each fukin time someone submits contact form is redirected into some random user account !!

Who the fuck needs Hackers when we have these legendary coders -_-

I... uhm... I... I can't... I ... I can't even.... THIS IS LIVE IN THE CLIENT'S SITE WHERE ANYONE CAN CREATE A LOGIN WITH NO VERIFICATION WHATSOEVER AND SEE THIS WHICH IS LINKED TO A BIG RED BUTTON THAT RESETS THE WHOLE DATABASE, YOU FUCKING DUMB PIECE OF SHIT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

// This event clears the entire solution in all active clients, truncates the database and also removes any stored PDFs in the server folder
$(document).on('click', '#resetDB', function () {
// This event only happens if the user correctly enters the password, this is to prevent other users than the admin from performing this action
var answer = prompt("Please enter the password required to perform this action.");
if(answer == "-REDACTEDBECAUSEHOLYSHIT-") {
socket.emit('resetDB');
} else {
alert("The password is incorrect, please try again!");
}
});

AAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!!!!111!!1!!11!1!!1!1one!one!!!11

(I'm not inventing this, even though the "site" is internal only and not accessible through the web. That does *not* make it any less stupid!)

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

3 rants for the price of 1, isn't that a great deal!

1. HP, you braindead fucking morons!!!

So recently I disassembled this HP laptop of mine to unfuck it at the hardware level. Some issues with the hinge that I had to solve. So I had to disassemble not only the bottom of the laptop but also the display panel itself. Turns out that HP - being the certified enganeers they are - made the following fuckups, with probably many more that I didn't even notice yet.

- They used fucking glue to ensure that the bottom of the display frame stays connected to the panel. Cheap solution to what should've been "MAKE A FUCKING DECENT FRAME?!" but a royal pain in the ass to disassemble. Luckily I was careful and didn't damage the panel, but the chance of that happening was most certainly nonzero.
- They connected the ribbon cables for the keyboard in such a way that you have to reach all the way into the spacing between the keyboard and the motherboard to connect the bloody things. And some extra spacing on the ribbon cables to enable servicing with some room for actually connecting the bloody things easily.. as Carlos Mantos would say it - M-m-M, nonoNO!!!
- Oh and let's not forget an old flaw that I noticed ages ago in this turd. The CPU goes straight to 70°C during boot-up but turning on the fan.. again, M-m-M, nonoNO!!! Let's just get the bloody thing to overheat, freeze completely and force the user to power cycle the machine, right? That's gonna be a great way to make them satisfied, RIGHT?! NO MOTHERFUCKERS, AND I WILL DISCONNECT THE DATA LINES OF THIS FUCKING THING TO MAKE IT SPIN ALL THE TIME, AS IT SHOULD!!! Certified fucking braindead abominations of engineers!!!

Oh and not only that, this laptop is outperformed by a Raspberry Pi 3B in performance, thermals, price and product quality.. A FUCKING SINGLE BOARD COMPUTER!!! Isn't that a great joke. Someone here mentioned earlier that HP and Acer seem to have been competing for a long time to make the shittiest products possible, and boy they fucking do. If there's anything that makes both of those shitcompanies remarkable, that'd be it.

2. If I want to conduct a pentest, I don't want to have to relearn the bloody tool!

Recently I did a Burp Suite test to see how the devRant web app logs in, but due to my Burp Suite being the community edition, I couldn't save it. Fucking amazing, thanks PortSwigger! And I couldn't recreate the results anymore due to what I think is a change in the web app. But I'll get back to that later.

So I fired up bettercap (which works at lower network layers and can conduct ARP poisoning and DNS cache poisoning) with the intent to ARP poison my phone and get the results straight from the devRant Android app. I haven't used this tool since around 2017 due to the fact that I kinda lost interest in offensive security. When I fired it up again a few days ago in my PTbox (which is a VM somewhere else on the network) and today again in my newly recovered HP laptop, I noticed that both hosts now have an updated version of bettercap, in which the options completely changed. It's now got different command-line switches and some interactive mode. Needless to say, I have no idea how to use this bloody thing anymore and don't feel like learning it all over again for a single test. Maybe this is why users often dislike changes to the UI, and why some sysadmins refrain from updating their servers? When you have users of any kind, you should at all times honor their installations, give them time to change their individual configurations - tell them that they should! - in other words give them a grace time, and allow for backwards compatibility for as long as feasible.

3. devRant web app!!

As mentioned earlier I tried to scrape the web app's login flow with Burp Suite but every time that I try to log in with its proxy enabled, it doesn't open the login form but instead just makes a GET request to /feed/top/month?login=1 without ever allowing me to actually log in. This happens in both Chromium and Firefox, in Windows and Arch Linux. Clearly this is a change to the web app, and a very undesirable one. Especially considering that the login flow for the API isn't documented anywhere as far as I know.

So, can this update to the web app be rolled back, merged back to an older version of that login flow or can I at least know how I'm supposed to log in to this API in order to be able to start developing my own client?

- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.

A moment of silence, please.

Yesterday the web site started logging an exception “A task was canceled” when making a http call using the .Net HTTPClient class (site calling a REST service).

Emails back n’ forth ..blaming the database…blaming the network..then a senior web developer blamed the logging (the system I’m responsible for).

Under the hood, the logger is sending the exception data to another REST service (which sends emails, generates reports etc.) which I had to quickly re-direct the discussion because if we’re seeing the exception email, the logging didn’t cause the exception, it’s just reporting it. Felt a little sad having to explain it to other IT professionals, but everyone seemed to agree and focused on the server resources.

Last night I get a call about the exceptions occurring again in much larger numbers (from 100 to over 5,000 within a few minutes). I log in, add myself to the large skype group chat going on just to catch the same senior web developer say …
“Here is the APM data that shows logging is causing the http tasks to get canceled.”

FRACK!

Me: “No, that data just shows the logging http traffic of the exception. The exception is occurring before any logging is executed. The task is either being canceled due to a network time out or IIS is running out of threads. The web site is failing to execute the http call to the REST service.”

Several other devs, DBAs, and network admins agree.

The errors only lasted a couple of minutes (exactly 2 minutes, which seemed odd), so everyone agrees to dig into the data further in the morning.

This morning I login to my computer to discover the error(s) occurred again at 6:20AM and an email from the senior web developer saying we (my mgr, her mgr, network admins, DBAs, etc) need to discuss changes to the logging system to prevent this problem from negatively affecting the customer experience...blah blah blah.

FRACKing female dog!

Good news is we never had the meeting. When the senior web dev manager came in, he cancelled the meeting.

Turned out to be a hiccup in a domain controller causing the servers to lose their connection to each other for 2 minutes (1-minute timeout, 1 minute to fully re-sync). The exact two-minute burst of errors explained (and proven via wireshark).

People and their petty office politics piss me off.

Face recognition + login with face on web

Yesterday my father called me and asked if I'd have a look at his website to exchange his logo with a new one and make some string changes in the backend. Well, of course I did and hell am I glad I did it.
He had that page made a few years ago by some cousin of a friend who "is really good with computers", it's a small web shop for car parts and, as usual costumer accounts. Costumer Accounts with payment infos.
Now I've seen a lot of bad practices when it comes to handling passwords and I've surely done a few questionable things myself but this idiot took the cake. When a new account was registered his php script would read the login page, look for a specific comment and add a string "'account; password'," below into to a js array. In clear text. On the website. One doesn't even have to breach the db, it's just there, F12 and you got all the log ins.

Seriously, we really need a licensing system for devs, those were two or three years this shit was live, 53 accounts... Now I've gotta decipher this entire bowl of spaghetti just to see if he has done any more unspeakable things.

Sometimes I have really loose the will to live and find myself face palming multiple times.

I added live chat software a web frontend for a client. Very easy job that consisted of pasting in some embed code. The actual software is very good and has native ios/andriod apps - something specifically requested.

I got a call from my client about an hour ago, saying there is a "serious issue with the live chat".

My client stated the live chat won't work when his staff go home. He asked me what my solution to this was.

Saying "wtf" many times to myself I directed him to a settings within the chat software i.e. an "away mode" where an email is sent when no chat agents are available.

This apparently wasn't good enough and said I hadn't followed his brief of "adding life chat software to the website", which I had.

After a lengthy discussion I found the root of his frustration. He'd signed a contract with a client of his own, stating there would be 24/7 support via live chat on the website.

Obviously there a huge difference between adding a chat widget to a website and committing to having it manned 24/7 :)

After a further 10 minutes of trying push the blame on myself, the client insisted of having the chat software "appear" as someone was always online, even when they are not (people need to sleep ya know!).

Bu design, the chat software requires at least one agent be logged in before the chat status changes to "online" - why wouldn't it.

After a little while I was seriously wondering why I'm involved in this conversation. I jokingly stated: "Well you could always install Andriod/iOS app on your phone, login and permanently leave it running in background. You'd get lots of notifications, but the site would say the live is always online".

The latter was something I said in jest. To my surprise the client said he'd do that on his own phone going forwards. He actually thanked me for my "resourcefulness", lol.

I'm looking at the same dashboard now and there are 407 pending chat requests - his phone must literally be blowing up notifications :)

Warning: long read....

I got a call this morning from a client who was panicking about not being able to login to his web panel.

So I went to the web panel and tried to login and was just redirected back to the login page. No errors or anything (at least visible on the page). Went looking for an error_log file and found it.

It turns out there was an error was showing: Disk quota exceeded.

So I went into the cPanel and checked, he used about 16GB out of 100GB and that got me confused. So I looked around and found out he was using about 510000/500000 inodes.

Went looking trough FTP to see where he has so many files and try and remove some.

Well it turns out that there were about 7 injected websites (warez, online casino, affiliate one etc) and a full hacking web panel on his FTP. After detailed analysis some who actually built the site (I just maintain some parts) made an upload form available to public with any checks on it. Meaning anyone could upload whatever they wanted and the form would allow it.

The worst part is that the client is not allowing us to secure the form with some sort of login or remove it completely (the best option) as it is not really needed but he uses it to upload some pdf catalogs or something.

TL; DR;
Old programmer created an upload form that was accessible to anyone on the web without adding any security or check as to see what kind of files was getting uploaded. Which lead to having maximum number on inodes used on server and client being unable to login.

Side note:
And ofc I had to go and fix the mess behind him again, even though he stopped working a long time ago and I started just recently and have been having nightmares of this project.

TL;DR :

"when i die i want my group project members to lower me into my grave so they can let me down one last time"

STORY TIME

Last year in College, I had two simultaneous projects. Both were semester long projects. One was for a database class an another was for a software engineering class.

As you can guess, the focus of the projects was very different. Databases we made some desktop networked chat application with a user login system and what not in Java. SE we made an app store with an approval system and admin panels and ratings and reviews and all that jazz in Meteor.js.

The DB project we had 4 total people and one of them was someone we'll call Frank. Frank was also in my SE project group. Frank disappeared for several weeks. Not in class, didn't contact us, and at one point the professors didn't know much either. As soon as we noticed it would be an issue, we talked to the professors. Just keeping them in the loop will save you a lot of trouble down the road. I'm assuming there was some medical or family emergency because the professors were very understanding with him once he started coming back to class and they had a chance to talk.

Lesson 1: If you have that guy that doesn't show up or communicate, don't be a jerk to them and communicate with your professor. Also, don't stop trying to contact the rogue partner. Maybe they'll come around sometime.

It sucked to lose 25% of our team for a project, but Frank appreciated that we didn't totally ignore him and throw him under the bus to the point that the last day of class he came up to me and said, "hey, open your book bag and bring it next to mine." He then threw a LARGE bottle of booze in there as a thank you.

Lesson 2: Treat humans as humans. Things go wrong and understanding that will get you a lot farther with people than trying to make them feel terrible about something that may have been out of their control.

Our DB project went really well. We got an A, we demoed, it worked, it was cool. The biggest problem is I was the only person that had taken a networking class so I ended up doing a large portion of the work. I wish I had taken other people's skills into account when we were deciding on a project. Especially because the only requirement was that it needed to have a minimum of 5 tables and we had to use some SQL language (aka, we couldn't use no-SQL).

The SE project had Frank and a music major who wanted to minor in CS (and then 3 other regular CS students aside from me). This assignment was make an app store using any technology you want. But, you had to use agile sprints. So we had weekly meetings with the "customer" (the TA), who would change requirements on us to keep us on our toes and tell us what they wanted done as a priority for the next meeting. Seriously, just like real life. It was so much fun trying to stay ahead of that.

So we met up and tried to decided what to use. One kid said Java because we all had it for school. The big issue is trying to make a Java web app is a pain in the ass. Seriously, there are so many better things to use. Other teams decided to use Django because they all wanted to learn Python. I suggested why not use something with a nice package system to minimize duplicating work that had already been done and tested by someone. Kid 1 didn't like that because he said in the real world you have to make your own software and not use packages. Little did he know that I had worked in SE for a few years already and knew damn well that every good project has code from somewhere else that has already solved a problem you're facing. We went with Java the first week. It failed miserably. Nobody could get the server set up on their computers. Using VCS with it required you to keep the repo outside of the where you wrote code and copy and paste changes in there. It was just a huge flop so everyone else voted to change.

Lesson 3: Be flexible. Be open to learning new things. Don't be afraid to try something new. It'll make you a better developer in the long run.

So we ended up using Meteor. Why? We all figured we could pick up javascript super easy.Two of us already knew it. And the real time thing would make for some cool effects when an app got a approved or a comment was made. We got to work and the one kid was still pissed. I just checked the repo and the only thing he committed was fixing the spelling of on word in the readme.

We sat down one day and worked for 4 straight hours. We finished the whole project in that time. While other teams were figuring out how to layout their homepage, we had a working user system and admin page and everything. Our TA was trying to throw us for loops by asking for crazy things and we still came through. We had tests that ran along side the application as you used it. It was friggin cool.

Lesson 4: If possible, pick the right tool for the job. Not the tool you know. Everything in CS has a purpose. If you use it for its purpose, you will save days off of a project.

A third party manages access to a web application I’m supposed to begin using. While accessible from the Internet, they whitelist IP addresses, so it rejects the login credentials if not coming from a whitelisted address.

I provided my external IP address to their support team but the application was not letting me in, so I called their help desk. A support technician said that my IP address was 10.x.x.x, a private IP address. I’m not on the same network as this application, so I did a quick check and realized they are reading my internal IP address from my X-FORWARDED-FOR (XFF) header (yes, my employer exposes this).

I explain to him that the application is incorrectly reading my external (connection) IP address and is instead reading my internal IP address from my XFF header. I also explain that it’s not a good idea to add a private IP address to their whitelist as it somewhat defeats the point as anyone can assign that IP address within their network and expose it via an XFF header.

After talking to numerous support personnel, I came to the conclusion that not a single support person on their team understands basic networking and private IP address ranges.

I finally just said, “Fine. Go ahead and add my internal IP address but keep in mind it will change a lot.”

He then proceeded to “explain” to me how my IP address is assigned by my ISP and should change very infrequently. I explained to him that the IP address their application is reading is actually assigned by DHCP inside my network, but I was clearly wasting my breath.

Worst hack/attack I had to deal with?

Worst, or funniest. A partnership with a Canadian company got turned upside down and our company decided to 'part ways' by simply not returning his phone calls/emails, etc. A big 'jerk move' IMO, but all I was responsible for was a web portal into our system (submitting orders, inventory, etc).

After the separation, I removed the login permissions, but the ex-partner system was set up to 'ping' our site for various updates and we were logging the failed login attempts, maybe 5 a day or so. Our network admin got tired of seeing that error in his logs and reached out to the VP (responsible for the 'break up') and requested he tell the partner their system is still trying to login and stop it. Couple of days later, we were getting random 300, 500, 1000 failed login attempts (causing automated emails to notify that there was a problem). The partner knew that we were likely getting alerted, and kept up the barage. When alerts get high enough, they are sent to the IT-VP, which gets a whole bunch of people involved.
VP-Marketing: "Why are you allowing them into our system?! Cut them off, NOW!"
Me: "I'm not letting them in, I'm stopping them, hence the login error."
VP-Marketing: "That jackass said he will keep trying to get into our system unless we pay him $10,000. Just turn those machines off!"
VP-IT : "We can't. They serve our other international partners."
<slams hand on table>
VP-Marketing: "I don't fucking believe this! How the fuck did you let this happen!?"
VP-IT: "Yes, you shouldn't have allowed the partner into our system to begin with. What are you going to do to fix this situation?"
Me: "Um, we've been testing for months already went live some time ago. I didn't know you defaulted on the contract until last week. 'Jake' is likely running a script. He'll get bored of doing that and in a couple of weeks, he'll stop. I say lets ignore him. This really a network problem, not a coding problem."
IT-MGR: "Now..now...lets not make excuses and point fingers. It's time to fix your code."
IT-VP: "I agree. We're not going to let anyone blackmail us. Make it happen."

So I figure out the partner's IP address, and hard-code the value in my service so it doesn't log the login failure (if IP = '10.50.etc and so on' major hack job). That worked for a couple of days, then (I suspect) the ISP re-assigned a new IP and the errors started up again.

After a few angry emails from the 'powers-that-be', our network admin stops by my desk.
D: "Dude, I'm sorry, I've been so busy. I just heard and I wished they had told me what was going on. I'm going to block his entire domain and send a request to the ISP to shut him down. This was my problem to fix, you should have never been involved."

After 'D' worked his mojo, the errors stopped.

Month later, 'D' gave me an update. He was still logging the traffic from the partner's system (the ISP wanted extensive logs to prove the customer was abusing their service) and like magic one day, it all stopped. ~2 weeks after the 'break up'.

That moment when you're finally getting your user registration and login system up and running!
As a web dev student I feel like I have accomplished something :)

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

I received a job offer as web-app developer and, in order to access the interview, I had to do an online QI test.

I login in the website and I see an ugly cluster of links, missing informations, errors at receiving the data I just inserted, a lot of bugs, broken links, images not availables, blank pages and so on.

I'm not sure I want to work there anymore

I'm a "published" freelance dev!

Last night I made my first web application available to the internet. It's an internal enterprise management system for a small non-profit.

It's running on a single $6 a month digitalocean droplet, and the domain is $12 a year, so yearly cost for them is absolutely rock bottom.

It's written in asp.net 6.0 razor pages, nginx reverse proxy, certbot for HTTPS certificates, fail2ban for ssh protection (ssh login is via ssl keys), entity framework with MySQL.

The site itself has automatic IP banning based on a few parameters like login spam, uses JWT tokens, and is fully secured.

All together, it's a lot of value for about $100 a year.

So I manage multiple VPS's (including multiple on a dedicated server) and I setup a few proxy servers last week. Ordered another one yesterday to run as VPN server and I thought like 'hey, let's disable password based login for security!'. So I disabled that but the key login didn't seem to work completely yet. I did see a 'console' icon/title in the control panel at the host's site and I've seen/used those before so I thought that as the other ones I've used before all provided a web based console, I'd be fine! So le me disabled password based login and indeed, the key based login did not work yet. No panic, let's go to the web interface and click the console button!
*clicks console button*
*New windows launches.....*

I thought I would get a console window.

Nope.

The window contained temporary login details for my VPS... guess what... YES, FUCKING PASSWORD BASED. AND WHO JUST DISABLED THE FUCKING PASSWORD BASED LOGIN!?!

WHO THOUGHT IT WOULD BE A GOOD IDEA TO IMPLEMENT THIS MOTHERFUCKING GOD?!?

FUUUUUUUUUUUUUUUUUUUUUUU.

Rant against useless metrics:

No, your bootup time is not from when you hit the power button, until the moment the login screen shows up.

It's from when you hit the power button, until the moment when you can actually use your computer, e.g. the web browser or IDE is running and responding to input.

Why is it that an issue is only critical-priority until the person who's raising the biggest fuss has to do something about it?

I was notified that a website hosted in AWS went down overnight and never came back up. I was then bombarded with email after email after email while I logged into our AWS account and poked around. I'm responsible for cloud infrastructure stuff, like VMs or virtual networking or security or whatever, not the actual applications running on said infrastructure. Once I confirmed their EC2 instance was reachable and I could login with SSH, I told them they'd have to fix their application.

They told me that they had no backend developer on their development team. I'm still getting a deluge of emails from multiple people on this team and their managers and managers' managers and so on.

"Perfectly understandable," I told them, though it was anything but. "You should probably look into obtaining one."

The emails stopped immediately. I assumed they were handling it and closed my ticket and moved on. But apparently I was wrong.

Six weeks later, the site is still down, they still have no backend dev, and I'm convinced that they were lying to me when they stressed the importance of this web app because now that it's no longer my problem, not a single person seems to care that it's still broken.

One thing every junior web developer learns is how to implement a login system.
They may not make it the most secure, but it works.
It boggles my mind how Microsoft still don't know how to make a login that works consistently.
Every Microsoft login page requires like 30 redirections to work.
The Teams app on my PC fails to login at least once a week, just because another Microsoft app is logged in using the same account (usually office), but Windows is not.
Microsoft needs to take it's head out of it's ass and BEG Google to teach them how to make a decent login system.

When you're a hardcore web developer, the only 'action' you .get() is when you're writing a login form scraper for your three-legged oauth flow in Python

when I was a newbie I was given a task to upload a site.
I had done that many times before so I thought it wont be a big deal so I thought I never gave a try uploading through ftp.
Okay I began work on it the server was of godaddy and credentials I got were of delegate access.
right I tried connecting through ftp but it wasn't working thought there's some problem with user settings why shouldn't I create my own user to stay away from mess.
Now I creater my own user and could easily login but there were no files in it saw that by creating user my folder is different and I dont have access to server files I wanted to take backup before I do upload.
now I was thinking to give my user access to all files so I changed the access directory to "/" checked ftp again there was still no file.
don't know what happened to me I thought ahh its waste of time for creating ftp user it does nothing and I deleted my ftp account.
now I went through web browser to download data and earth skids beneath my foots. Holy fuck I lost all the data, all were deleted with that account it scared the shit out of me.
There were two sites running which were now gone.
Tried every bit to bring them back but couldn't do so. i contact support of godaddy they said you haven't enabled auto backup so you can't have them for free however they can provide their service in $150. Which is 15k in my country.
I decided to tell my boss about what happened and he got us away :p I wasn't fired gladly

APPLE IM GONNA BURN YOU WITH GASOLINE.

So i want to send my build to app store, from my iphone.

I want to log into iTunesConnect.

"It just works"

Yeah, right. Login page for itunesconnect does not render correctly on Safari web browser, on iphone, login arrow is not visible, and elements are scattered around.

Grrrrrrr.

On Google Chrome, it looks okay!!!!!!!!!!!
Spartaaaaaaaaaa.

After some tapping on screen, and rotating the device, i somehow found invisible arrow and managed to sign in.

BUT. Once inside i was unable to complete the process because UI refuses to scroll down :(

The pain...

Still dealing with the web department and their finger pointing after several thousand errors logged.

SeniorWebDev: “Looks like there were 250 database timeout errors at 11:02AM. DBAs might want to take a look.”

I look at the actual exceptions being logged (bulk of the over 1,600 logged errors)..

“Object reference not set to an instance of an object.”

Then I looked the email timestamp…11:00AM. We received the email notification *before* the database timeout errors occurred.

I gather some facts…when the exceptions started, when they ended, and used the stack trace to find the code not checking for null (maybe 10 minutes of junior dev detective work). Send the data to the ‘powers that be’ and carried on with my daily tasks.
I attached what I found (not the actual code, it was changed to protect the innocent)
Couple of hours later another WebDev replied…

WebDev: “These errors look like a database connectivity issue between the web site and the saleitem data service. Appears the logging framework doesn’t allow us to log any information about the database connection.”

FRACK!!...that Fracking lying piece of frack! Our team is responsible for the logging framework. I was typing up my response (having to calm down) then about a minute later the head DBA replies …

DBA: “Do you have any evidence of this? Our logs show no connectivity issues. The logging framework does have the ability to log an extensive amount of data regarding the database transaction. Database name, server, login, command text, and parameter values. Everything we need to troubleshoot. This is the link to the documentation …. If you implement the one line of code to gather the data, it will go a long way in helping us debug performance and connectivity issue. Thank you.”

DBA sends me a skype message “You’re welcome :)”

Ahh..nice to see someone else fed up with their lying bull...stuff.

Earlier this year I had to deploy an "emergency" fix to production for (luckily) an internal facing, but customer impacting, web application.

It was only the login page they were changing. I backed up the original, copied the new file into place, and marked my task complete.

Then I went and read the details on the incident. Someone discovered that if you supply ANY valid username and leave the password blank, you're in! Put the wrong password and you're blocked, of course. But blank? You must be legit!

Curious, I looked at the timestamp on the original file I had backed up to see how long it had been like this.

4 years.

Not a bug, but a government web system to have control over financial expenses from a region in my country has the login access admin:admin.
Somehow they manage to keep it like that for years with no problem.

Fuck Homestead.

For the fortune of you not to know, Homestead is a sad attempt at a Wix-like build your own website platform.

However, Homestead is the most unusable piece of shit platform that humans have ever had the misery of interacting with

Lets start off with the login page. The login page is small, unresponsive and half the time just deletes your input whenever you press submit.

It's important to note that unless you're running MacOS or Windows, Homestead will send to an error page on which there's a link to contact support, but pressing that link requires MacOS or Windows.

Fine, I'll fiddle around with my user-agent, and we'll be in soon enough. But now we come to the joy that is the website editor itself.

The website editor is clunky, hard to use, and has enough menus and submenus and sidebars to make the Jira UI shake with fear. Each interface option label is either ridiculously ambiguous or just straight up wrong. The built-in HTML editor doesn't support HTML5, in the name of "browser compatibility".

CSS? Pah! Who needs it! Our psuedo-90s skeuomorphic ugly-as-shit prebuilt styles will work just fine. Responsive design? Bullshit! Nobody uses a smartphone to browse the web, so why do we need to handle it?

Uploading a file? Good fucking luck buddy. There's a complicated dance among the minefield of pop-ups that ask you to confirm some shit or modify some shit and you gotta click the right option each time or else the file won't upload.

Wanna use https like 86% of the entire web and all modern websites? That's a premium feature. Fork over an extra $10 a month

Ok ok, I made it through all that. Dig through the thousands of menus to find the 'publish changes' button, and sigh with relief.

Open up a private browser tab to check my work, and nope. The site looks like shit, even by Homestead's standards. That's because Homestead claims to be a WYSIWYG editor, but it's a damn lie. The site looks like shit, so it's time do dive back into the hellhole that is this damn site editor.

And rinse and repeat. Deal with the shitty editor, publish, and pray it doesn't look like garbage. Be too scared to test on other devices because this flaming pile of dog shit pretending to be a website is bad enough on my device.

Two more months, then I'm done with this client. Someone get me a drink

Fire your whole fucking web team Bethesda

* Your design is a classic ipecac. Whatever the fuck you are doing doesn't in frontend doesn't justify the 4Mb of bandwidth I wasted on a single js file. Why the fuck can I see the whole fucking node_modules directory when looking at the sources?
I know this is supposed to be a webpage for a game development studio, but I'm seriously wondering if your budget would even get me a prostitute.
I'm a greedy fuck and want a free game. apparently your servers are only good enough to register me, but login is apparently too much to ask for. Yeah sure. Oh and also thank you for choosing an "incorrect username and password" error message by default, even though your fucking gateway timed out. Please be kind enough and punch me directly into my face next time. Not like I'll ever access that shit ever again

I get an email about an hour before I get into work: Our website is 502'ing and our company email addresses are all spammed! I login to the server, test if static files (served separately from site) works (they do). This means that my upstream proxy'd PHP-FPM process was fucked. I killed the daemon, checked the web root for sanity, and ran it again. Then, I set up rate limiting. Who knew such a site would get hit?

Some fucking script kiddie set up a proxy, ran Scrapy behind it, and crawled our site for DDoS-able URLs - even out of forms. I say script kiddie because no real hacker would hit this site (it's minor tourism in New Jersey), and the crawler was too advanced for joe shmoe to write. You're no match for well-tuned rate-limiting, asshole!

Social Captain (a service to increase a user's Instagram followers) has exposed thousands of Instagram account passwords. The company says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started.

According to TechCrunch : Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain text, as they had connected their account to the platform. A website bug allowed anyone access to any Social Captain user's profile without having to log in ; simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information easily. The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

As I am working with WordPress for the really first time I am making horrible experiences now.

My client wants a simple submenu on the sidebar if the user is logged in else he want the login form to be there. Easy peezy done with php and just good old plain html. Maybe some JavaScript to make the login process asynchronous.
But fucking bitch - NO. As I found out after searching and digging. I have to create a menu in wp-admin first. Then add a menu-widget to the sidebar. And then install a plug-in to make the links only visible for logged in user. Wtf?

WordPress takes all the joy in doing web development for me. I won't do that anymore. I will force all new clients to use proper tools to make their shit work for them. And as I am the expert in this things I am the one who suggests the right tool.

Fuck this shit.

Whelp. I started making a very simple website with a single-page design, which I intended to use for managing my own personal knowledge on a particular subject matter, with some basic categorization features and a simple rich text editor for entering data. Partly as an exercise in web development, and partly due to not being happy with existing options out there. All was going well...

...and then feature creep happened. Now I have implemented support for multiple users with different access levels; user profiles; encrypted login system (and encrypted cookies that contain no sensitive data lol) and session handling according to (perceived) best practices; secure password recovery; user-management interface for admins; public, private and group-based sections with multiple categories and posts in each category that can be sorted by sort order value or drag and drop; custom user-created groups where they can give other users access to their sections; notifications; context menus for everything; post & user flagging system, moderation queue and support system; post revisions with comparison between different revisions; support for mobile devices and touch/swipe gestures to open/close menus or navigate between posts; easily extendible css themes with two different dark themes and one ugly as heck light theme; lazy loading of images in posts that won't load until you actually open them; auto-saving of posts in case of browser crash or accidental navigation away from page; plus various other small stuff like syntax highlighting for code, internal post linking, favouriting of posts, free-text filter, no-javascript mode, invitation system, secure (yeah right) image uploading, post-locking...

On my TODO-list: Comment and/or upvote system, spoiler tag, GDPR compliance (if I ever launch it haha), data-limits, a simple user action log for admins/moderators, overall improved security measures, refactor various controllers, clean up the code...

It STILL uses a single-page design, and the amount of feature requests (and bugs) added to my Trello board increases exponentially with every passing week. No other living person has seen the website yet, and at the pace I'm going, humanity will have gone through at least one major extinction event before I consider it "done" enough to show anyone.

help

Whaaaat theeeee actual fuuuuuuuuck. So basically I've got a server running and everything is fine. All services are working and I can access the webserver running on it over every browser. But randomly my ssh access stopped working (can connect but doesn't return shit after last login message) and when loading the web config thingie from my provider it gives me an empty response (all other pages from the provider are working). So basically I've got a working server I cannot access. But I'd like to access it and cannot even restart that shitty thing.

Anybody else had a problem like that or has any idea wtf is going on?

The company that I work for has recently recruited a team for Web Development, so they don't have to pay a monthly fee to the previous team who designed their website.

They have over 3000+ products in the old website, and no logical way to import them to the new website. The old team was asking for 300$ to give them an API which would return the product details in an XML format.

Obviously, paying that amount of money wasn't logical for a dying website, so the manager decided to hire someone to manually copy the content from the old admin panel to the new one, that is until I stopped him.

My solution? Write a simple web scraper to login to the old panel and collect data. Boom! 300$ saved from going to waste.

Now, the old team found about this and as much as my manager was happy, they were quite angry. So they implanted a Google reCaptcha to prevent my bot from scraping the old panel.

I spent about 20 minutes, and found out once you're logged in to the old panel, the session is saved in a cookie and you are no longer greeted by a Captcha.

So I re-written a small portion of my bot, and Boom! Instant karma from manager. We finished publishing the new site, and notified the old team, only to see the precious look on their face. Poor guy, he thought I was a wizard or something 😂😂

That's what you get for overcharging people!

TL;DR: Company's old website team wanted to overcharge us writing an API to fetch 3000+ records.
Written a basic web scraper to do the same job in less than an hour.

It all started with an undelivereable e-mail.

New manager (soon-to-be boss) walks into admin guy's office and complains about an e-mail he sent to a customer being rejected by the recipient's mail server. I can hear parts of the conversation from my office across the floor.

Recipient uses the spamcop.net blacklist and our mail was rejected since it came from an IP address known to be sending mails to their spamtrap.

Admin guy wants to verify the claim by trying to find out our static public IPv4 address, to compare it to the blacklisted one from the notification.
For half an hour boss and him are trying to find the correct login credentials for the telco's customer-self-care web interface.
Eventually they call telco's support to get new credentials, it turned out during the VoIP migration about six months ago we got new credentials that were apparently not noted anywhere.

Eventually admin guy can log in, and wonders why he can't see any static IP address listed there, calls support again. Turns out we were not even using a static IP address anymore since the VoIP change. Now it's not like we would be hosting any services that need to be publicly accessible, nor would all users send their e-mail via a local server (at least my machine is already configured to talk directly to the telco's smtp, but this was supposedly different in the good ol' days, so I'm not sure whether it still applies to some users).

In any case, the e-mail issue seems completely forgotten by now: Admin guy wants his static ip address back, negotiates with telco support.
The change will require new PPPoE credentials for the VDSL line, he apparently received them over the phone(?) and should update them in the CPE after they had disabled the login for the dynamic address. Obviously something went wrong, admin guy meanwhile having to use his private phone to call support, claims the credentials would be reverted immediately when he changed them in the CPE Web UI.

Now I'm not exactly sure why, there's two scenarios I could imagine:
- Maybe telco would use TR-069/CWMP to remotely provision the credentials which are not updated in their system, thus overwriting CPE to the old ones and don't allow for manual changes, or
- Maybe just a browser issue. The CPE's login page is not even rendered correctly in my browser, but then again I'm the only one at the company using Firefox Private Mode with Ghostery, so it can't be reproduced on another machine. At least viewing the login/status page works with IE11 though, no idea how badly-written the config stuff itself might be.

Many hours pass, I enjoy not being annoyed by incoming phone calls for the rest of the day. Boss is slightly less happy, no internet and no incoming calls.

Next morning, windows would ask me to classify this new network as public/work/private - apparently someone tried factory-resetting the CPE. Or did they even get a replacement!? Still no internet though.
Hours later, everything finally back to normal, no idea what exactly happened - but we have our old static IPv4 address back, still wondering what we need it for.

Oh, and the blacklisted IP address was just the telco's mail server, of course. They end up on the spamcop list every once in a while.

tl;dr: if you're running a business in Germany that needs e-mail, just don't send it via the big magenta monopoly - you would end up sharing the same mail servers with tons of small businesses that might not employ the most qualified people for securing their stuff, so they will naturally be pwned and abused for spam every once in a while, having your mailservers blacklisted.

I'm waiting for the day when the next e-mail will be blocked and manager / boss eventually wonder how the 24-hours-outage did not even fix aynything in the end...

Please delete your browser cache.

Wtf is up with this shit?
Maybe I'm just having a streak of bad luck, but in recent days, I ran into this particular issue time and time again.
First with one of our own products - the user appearently not always was shown the newest version due to stuff being cached in the browser.
Fair enough, we had our web-dev find a solution to that, which he did. Until this is rolled out, the only resolution is to clear the browser cache.

I also ran into this same issue on multiple other fronts. For example, there's a remote connection to one of our clients I had to establish via browser. The backend was a bit unresponsive, and somehow I ended up in a situation where my login was rejected. The only solution? Clear your browser cache.

Then we have confluence and jira in the company. Same issue. All of a sudden, I could no longer log in. Worked fine in another browser.
Delete your browser cache.

Is it just that most frontend developers out there are incompetent at what they do or is this stuff broken by design? I don't recall having to clear my browser cache very frequently - in fact, I'm pretty sure I haven't done it for years on one of my PCs at home. What changed?

Ah well, maybe it was just a streak of bad luck. But still ...
/Rant

So, this incident happened with me around 2 years ago. I was pentesting one of my client's web application. They were new into the Financial Tech Industry, and wanted me to pentest their website as per couple of standards mentioned by them.

One of the most hilarious bug that I found was at the login page, when a user tries logging into an account and forgets the password, a Captcha image is shown where the user needs to prove that he is indeed a human and not a robot, which was fair enough to be implemented at the login screen.

But, here's the catch. When I checked the "view source" option of the web page, I saw that the alt attribute of the Captcha image file had the contents of the Captcha. Making it easy for an attacker to easily bruteforce the shit outta the login page.

You don't need hackers to hack you when your internal dev team itself is self destructive.

Open droid edit, ignore big ads at the bottom.

Open file, make small changes.

Save as.

Open andftp

Login to azure web app

Navigate to wwroot

Switch to device files

Go to .deployment folder

Select file

Upload.

Is it efficient? Fuck no.

Notepad++ style editing on the go? Fuck yes

So let's talk about CNAs, Captive Network Assistants, these downsized browser that open on Smartphones when you try to login to a free wifi which requires you to buy sometging or accept some terms.

I fucking hate them. I'm a web dev which has to deal with these dumbfucks.

Back in the time, there was this dumbfuck who had the idea to capture http requests on network level and response with a redirect to his own landing page. Fuck this guy. Then some dudes had the idea of the CNA as a privacy security feature. A good idea. But also this guys: "hey, let's make them a huge pain to develop for".Fuck them, too. But then came the companies saying: "hey make us a huge SPA with all features we can think of for this fucktard of a browser."

I hate fucking CNAs

Three-factor authentication:
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)

Our new intern gave our digitalocean login details to this so called web developer to upload a new website.

The webdev removed the droplet 😭

Oh god where do I start!?

In my current role I've had horrific experiences with management and higher ups.

The first time I knew it would be a problem: I was on a Java project that was due to go live within the month. The devs and PM on the project were all due to move on at the end. I was sitting next to the PM, and overheard him saying "we'll implement [important key feature] in hypercare"... I blew my top at him, then had my managers come and see if I was OK.

That particular project overran with me and the permanent devs having to implement the core features of the app for 6mo after everyone else had left.

I've had to be the bearer of bad news a lot.

I work now and then with the CTO, my worst with her:
We had implemented a prototype for the CEO of a sister company, he was chuffed with it. She said something like "why is it not on brand" - there was no brand, so I winged it and used a common design pattern that the CEO had suggested he would like with the sister company's colours and logo. The CTO said something like "the problem is we have wilful amateurs designing..." wilful amateurs. Having worked in web design since I was 12 I'm better than a wilful amateur, that one cut deep.

I've had loads with PMs recently, they basically go:

PM: we need this obscure set up.
Me & team: why not use common sense set up.
PM: I don't care, just do obscure set up.

The most recent was they wanted £250k infrastructure for something that was being done on an AWS TC2.small.

Also recently, and in another direction:

PM: we want this mobile app deploying to our internal MDM.
Us: we don't know what the hell it is, what is it!?
PM: it's [megacorp]'s survey filler app that adds survey results into their core cloud platform
Us: fair enough, we don't like writing form fillers, let us have a look at it.

*queue MITM plain text login, private company data being stored in plain text at /sdcard/ on android.

Us: really sorry guys, this is in no way secure.
Pm: *in a huff now because I took a dump on his doorstep*

I'll think of more when I can.

Did the latest Windows 10 update fix it so that all your startup apps open before you login?

If so, why don't they mention that in the marketing literature? That's far more impactful to most people than some tab feature in their web browser that only old people use.

My trying to login to my email account my.email.address@example.com via web:

Site: You need to verify that you are really you. We sent a verification email to my.email.address@example.com please click the link in this email to verify your identity.

It's a really interesting discussion, when your boss tells you that it's a perfectly fine idea to directly use a Firebase DB from an Angular web app by storing the Admin Auth Token in a variable in JS.
Thank the spaghetti monster, I was able to argue against it and use the already partially implemented RESTful API with the already used auth.
He basically wanted to save time and omit extra login routes.

It's OK to save time and not implement $randomFeatures.
BUT DON'T FUCKING TRY TO SAVE TIME ON SECURITY!

If it wasn't for me, this web app would turn into a bigger gaping (security) asshole than Sasha Grey's...

Sometimes lack of confidence in one area reveals oversight cockyness in stronger areas:

Set up a simple login system from Unity engine to php to mysql db, using android device ID as the login id. Set up database column to accept 32 length varchar for MD5 hashed strings, as I knew the method I was getting the android device ID was automatically being hashed that way and more or less was what I wanted anyway.

Spend 2 days wondering why it would insert the logins with 0 issue, but could never retrieve them. Due to lack of web development and PHP skills, I assumed I was screwing up the handling of mysqli_num_rows() (to check whether I was inserting or selecting in the query) or simply screwing up my SQL queries.

Rewrite the code a few times, even went back to a method I had used in the past.

Today it dawned on me that my testing machines deviceID had been getting trimmed to the 32 character limit. Turns out I didn't account for my workstations device ID to be automatically hashed like the android device id is.

For 2 days I was obtaining and sending a 40 character string to a 32 character limit varchar and blaming my lack of PHP skills........

Back to my niche I go!

We had a project with a web app and an Android app. We split it out, he took the web and I was working on Android. He was very curious to do the project with me and very motivated at the beginning. We agreed on our first module that was user authentication. After some time when I told him that first module of app is ready and asked him on his progress, (When ever we had a talk he pretend like every thing is going fluently, though I continously told him ask for help if needed ) he opened a folder in vs code containing two files "index.html" and "style.css" and showed me the "login & sign up" design he was doing for days. I have no option but to appreciate his work. On that day I created new folder on my machine "web application" and started working.

//rant

So i ordered myself a web server and am trying to get access to phpmyadmin.
I got generated username and password for the phpmyadmin login.
So i created mysql databases and database users, outside the interface, but that's fucking it, i need to create tables as well, can't do that without the interface, cuz NO ACCESS!

Fucking piece of shit service provider, they had one thing to do and they can't even fucking do it right. How dare they call themselves web hosts at all...

It's probably a badly configured config file but i can't access the file myself to start sorting this shit out, so i got to wait at least 12 hours till work hours to be able to contact with them and sort this shit out.

Multi User, One Account, and other shit

I'm gonna rant about something as a user, and someone who makes stupid web stuff.

My bank has been updating their web banking over time and they decided that every individual on an account, should have their own login. They really want to push this on their users, I suspect specifically folks like me and my wife who share one login for the joint accounts we have at the bank together.

Why share one login, because it's the only sure fire way I know that I and my wife can see all the same shit no doubt about it.

The banks never tell you what you can see or can't with joint accounts, I doubt it is even documented on their end, but in every damn case something is hidden or different in some weird way.

Messages to the bank people? If I send it, my wife often can't. I get that for security reasons that's a thing, but it makes no sense for a joint account.

ANY difference to me breaks online banking ENTIRELY. Joint accounts are supposed to be... well one account that is the same.

Other banks we used where we had different logins for the joint account, each login actually had separate bill pay accounts per user. So if I went to bill pay and scheduled something to be paid, my wife had no idea, same if she did.

Right fucking there, banking is just broken entirely!

So no Mr. Bank, fuck you we're both logging in via the same login.

Fast forward to N00bPancakes making a thing.

So my employer has a customer (Direct Customer). Direct Customer wants a thing that makes communication with their customer (Indirect Customer) easier.

The worst thing about making something for your customer's customer is that Direct Customer always imagines that Indirect Customer is gonna be super ninja power users....

But no, that's not the case... in fact almost nobody is a power user, and absolutely nobody WANTS to be a power users.

Worse yet in my case the only reason this tool exists is because Direct Customer and Indirect Customer can't communicate well enough anyway... that should tell you something about the amount of effort Indirect Customer is willing to expend.

So with that tool, this situation constantly comes up:

Direct Customer thinks it would be great if every user from Indirect Company had some sort of custom messaging, views, and etc in of Cool Communication Tool. The reason is because that's what Direct Customer loves about Ultra Complex Primary Tool that they use ....

Then I have to fight the constant fight of:

NOBODY WANTS TO BE A POWER USER, NOBODY EVEN WANTS TO DO MUCH OF ANYTHING ON THE INTERNET THAT ISN'T SCREAMING AT OTHER PEOPLE OR POST MEMES OR WATCH SHITTY VIDEOS. THE MOMENT ANYONE AT INDIRECT COMPANY LOGS IN AND SEES ANY INFO THAT IS DIFFERENT FROM THEIR COWORKER THEY'LL SHIT THEMSELVES, FLOOD EVERYONE WITH 'OH GAWD SOME NON SPECIFIED THING IS WRONG' AND RESPOND TO EMAILS LIKE A JELLYFISH DROPPED OFF IN NEW MEXICO... AND NOTHING WILL GET DONE!!!

God damn it people.

Also side rant while I'm busy fighting the good fight to keep shit simple and etc:

People bitch about how horrible the modern web is and then bitch at web devs like we're rulers of the internet or something.... What really pisses me off about that is other devs who do that.... like bro, do you make policy at your company? You decide not to sell some info or whatever shit your company sells? Like fuck off with your 'man I miss html' because you got scared by some shitty JS error and ran back to your language of choice and just poked your head out of the the basement and got scared... and you shit on another developer about that? Fuck you.

I'm in vacation in portugal and in the apartment the WLan has the default ssid. So i tried to login with the default credentials into the web panel. It worked... Now i have superuser access and can change everything i want...

Ouuu today I experienced how web-devs must feel...

Task: create a form to answer questions with yes/no and a database behind it to collect stats.

So login to phpmyadmin
1. Wrong password got error message
2. No error message, still at login screen, but in address I see a token
3. There must be something wrong
4. Reinstalled phpmyadmin and mysql-server several times, wasted one hour on it - still stuck at login screen
5. Tried different browser and it fucking works!
6. Realized that cleaning cache fixed it...

I've got a kinda basic networking question I can't quite figure out

How does a push notification work?

Like, on an Android app. A good example is an authenticator. Say I don't login to the service for 4 months.

Then, one day, I try to log into the web portal and it prompts me to accept the request on my authenticator app on my phone.

Immediately, there's a push notification on my phone.

Wtf.

Is there a socket open for 4 months? Does it send requests every few seconds for 4 months? I can't imagine that either of these options scale whatsoever: both horrendously waste bandwidth and server connections.

How the fuck does it work? I don't even have the first idea.

One day I helped another teacher with setting up his backend with the currently running Nginx reverse-proxy, peace of cake right?

Then I found out the only person with ssh access was not available, OK then just reset the root password and we're ready to go.

After going through that we vim'd into authorized_keys with the web cli, added his pub key and tried to ssh, no luck. While verifying the key we found out that the web cli had not parsed the key properly and basically fucked up the file entirely.

After some back and forth and trying everything we became grumpy, different browsers didn't help either and even caps lock was inverted for some reason. Eventually I executed plan B and vim'd into the ssh daemon's settings to enable root login and activate password authentication. After all that we could finally use ssh to setup the server.

What an adventure that was 😅

So I want to inform my internet provider of my new phone number, but I can't remember any of my login info for their web interface because I never used it. Luckily, they have a "forgot my username" function, where I submit my email address and get a confirmation that my username has been sent to me.

Yet, I just don't get said email. I try again, but no avail. So I just guess my username and use their "forgot password" form, which – hooray! – confirms it just sent my an email.

But I don't get any email. I retry, I retry after a day, but no automatic response. I remember a incident a few years back when I didn't get some automatically generated mails from a company and decide to contact their support if they could just reset my password manually.

Nearly a week passes.

Now I received the answer. I just don't have an account.

Lesson learned: Next time I'll just input garbage first to check if those forms are sane.

Got a bad question here. I've got my homepage (login + some archives with access permission) which I made in HTML + php (yeah I know). But I just hate how php looks. So I'd like to rewrite that whole little bastard now using some other language (not php obviously). What do you recommend? Which Lang's/frameworks are being used. I heard python and java spring were good but I wanted to hear the opinion of some real devs I guess. I'm rather a back end dude (c++) but I think it would be useful to learn some web programming too (not interested in fancy animations and shit, just a good ol' single colored site that displays the content)

!rant

So, when I was young, I wanted to be a freelancing nomad. You know, live the live, work remote and travel.

But I didn't have the bones to pursue that. After 10 years of struggling as a normal "programmer", I did a little of everything. I did normal boring "erp maintenance" in C#, Oracle and some legacy stuff called Visual WEB GUI , which was fun, but required a full 9,5 hours work day, 8:00 am to 6:30pm, and the bosses where squares, and I was young and wanted to try something out of the corporate world.

Then I did some work for a newly funded consulting company that used python, Django, and postgresql, but the bosses promised a lot and delivered none, (I was supposed to work backend and have frontend support, which I did not have, and that hurt my productivity and bosses instead of looking at what they promised but did not deliver, they just discounted my salary 3 months in a row, so Bye bye MFs!!

Then I did some remote work for some guys, that, I managed to sustain for a whole year, the pay was good, the stack was simple, just node.js and pug templates, that gig was good, but communication with the bosses was hard, and eventually things started to get hard for them and me, and we had to say farewell to each other, I miss those guys. This is the only time I remember having fun working, I could work whenever I wanted, I only had to reach the weekly goals, and then my time was mine, I could work from home in the odd hours, or rent a chair in a co working space if I wanted to socialize.

Then fate got me one big gig with a multinational company, and I could hire some people, but I delegated too much and was asking too little of myself, and that project eventually died because I did not know how to negotiate.

So, I quit the whole entrepreneur idea, and got a public job at my University, I was a public employee with all the perks, but none of the fun, I just had to clock-in, work, and clock-out. That experience led me to discover a lot of myself, I worked as a public employee for a year and a half, and in that time, I discovered more about myself than what I learnt in 27 years of previous life experience.

Then, I grew bored of that life, and wanted some action, and I found more than enough fun in a VC funded startup ran by young narcissists that did not have a clue of what they were doing, I helped them organize themselves into "closing stuff", you know, finish the things you say you have finished. Just to give you an idea of what it was like before I got there, the were working for 3 months already on this project, they had on paper 50% of the system done and working, when I tried to use the app, I couldn't even sign-up without hacking some database commands, (this was supposedly done). So I spent a month there teaching these guys how to finish stuff, they got, Sign Up, (their sign up was a mess, it is one of those KYC rich things, that financial apps have), Login, and some core functionality working in a month, while in the previous 4 months they only did parallel work, writing endpoints that were not tried, and an app that did not communicate with the backend. But the bosses weren't happy with me, because I told them time and time again that we were not going to reach the goal they needed to reach to keep receiving funds from the investors, and I had to quit before it became a mayhem of toxic employer/employee relationship.

So now I decided to re-engage with life, I have funds to survive about a month and half, I have a good line of credit in case I need some more funds, and the time of the world.

So wish me luck!!! And I'll be posting often, because I would like opinions, hear from people with similar life experiences and share anecdotes.

Next post, it's going to be about how I discovered taskwarrior, and how implemented my first weekend following some of the aspects of GTD to do all my housekeeping chores, because, I think that organizing myself will be key to survive as a freelancer nomad.

Sadly, I’m not a good enough developer to have clever and hacky solutions to anything. In college I did once use Visual Basic to spoof a Novell login screen and steal other students’ passwords and write them to a diskette, which I’d recover after they walked away from the machine. The worst I did to them was log into their messaging and send them messages from themselves. Oh, and I also set up an “underground” web site that the campus sysadmins didn’t discover for a while. I used it to set up a forum where students could sell their used textbooks for better prices than the buy back program at the campus bookstore.

Well for starters the website that gave you assignments on security of web applications shouldn't have an SQL injection vulnerability on the login page.

Next would be the method of teaching, they would skip what not to do and go straight to what you should do. This in turn causes people to use the exec command in php that actually takes a POST parameter.

And stop allowing teachers to be lazy fucks that don't explain shit and only give you assignments.

And finally when telling the teacher that a method he uses would cause another vulnerability the teacher should properly fix this issue not say it is for an "advanced course".

Yes I am pissed

I've been fighting with my xmlrant.com hosting provider for a good several days now regarding enabling web deploy for my account.

According to their screenshot it all works, according to my various attempts still getting either 404 or 401 with the same login / server details!

So frustrating... It almost looks as though same authentication works differently for them locally and for me externally... Maybe domain name needs to be in FQDN format... Or smth else... Either way this will probably end up with them saying fuck off, all is working on our end.

And as well it might - it just might be my incompetence... *self-doubt creeping in*

But it's still frustrating nevertheless.

So far I need to settle for unreliable FTP deploy, which introduces big overhead as always copies entire deployment folder, even is only a few files are actually changed.

*Le sigh*

The first dev project, like real dev project, I participated in was a school one and it was double.
The class was meant to make us learn about the software's life cycle, so the teacher wanted us to develop a simple, yet complicated, thing: a Web platform to help tutors send/refer students to the university services (psychologist, nutriologist, etc) and to keep track of them visits.
We all agreed on it being easy.
Boy were we so wrong.
I was appointed as dev leader as well as some others (I was the programming leader, the other ones were the DB guy and the security guy) and as such I was in charge of the technology used (well, now we all know that the client is the one in charge of that as well as the designer) and I chose Django because we had some experience with it. We used it for the two projects the teacher asked us to do (the second one was to find a little shop and develop something for it, obviously with the permission and all that), but in the second one I decided to use React on top of Djangl, which ended being a really good combination tho.
So, in the first project, the other ones (all the classroom) started to discuss and decided to use some other stuff like unnecessary carousel for images, unnecessary functions, they created mock ups for stuff that was never there to begin with, etc. It was really awful, we had meetings with the client (the teacher) with updates on the project, and in not a single one he was satisfied with the results. But still, we continued with the path the majority chose and it was the worst: deadlines were not met, team members just vanished until the end of the semester, one guy broke his leg (and was a dev leader) and never said a word not did anything about the project. At the end, we presented literal garbage, the UI was awful, its colors were so ugly because we had to use the university official colors, the functionality was not there, there literally was a calendar to make appointments for the services (when did the client ask for that? No one knows), but hey, you could add services and their data to it, was it what the client wanted? Of course not! What do you think we are? Devs?
Suffice to say that, although we passed with good grades, the project and the team was shit (and I'm counting me in)
The good part is that the second project was finished by me and it looked really good, yet it didn't matter, the first project was supposed to be used by the university, but that thing was unusable.
Then, in the subsequent vacations I tried to make pretty and functional/usable, yet I failed because I had a deadline for another thing I had to do, but hey, the login screen looked amazing!

Ranting in my winphone8.1 via web app and it is awesome!

Simply change the user agent to Firefox or chrome desktop and then go to
devrant.io/feed
Login, and enjoy!

Senile Web login services from 2009 grind my gears, and tertiary education administration snorts the powder.

Trying to apply online at a local university. They didn't have place for me 3 years ago so I went elsewhere but for my 4th year I have to go to them.

Because of my previous application I still have a student number. Online application says I have to log in to another portal and apply there. Then that portal now requests a Pin that I was never sent, and the "request new pin" function doesn't work because apparently my email is not in the database for my ID. My email was 100000% sure on my application, but some dingus never inserted it into the system.

Why not just start a "new" application you ask? Because the New Applications portal won't allow it for my ID number since it has a student number already. Now I either have to apply manually and pay the fee or wrangle Uni staff to reset my account.

I'm calling you, your slapdash JavaScript 1.2 code and your unhelpful staff out, Cape Peninsula University of Technology.

Few months ago we move into a new Building, Company buys new Polycoms for 2 of the boardrooms - fancy ones with the Skype for Business and stuff.
Provision the boardroom accounts get them set up and all is working well.
Director asks if we can swap 2 boardroom phones around because their dept. just got a remote user and video calling would be awesome.
I set to work changing sign in details, provisioning accounts, assigning licenses, etc which is a long process because 365 needs to update throughout.
Finally get everything right, time to login... Failed...
Login fails on the Polycom, my laptop & an android tab - all 3 with different errors.
Decide to test account by logging into the web version in OWA - logs in perfectly.

Why Microsoft?? Why must you make it so hard? Why not just work?

TL;DR - Coding standards are a shit practice IMO.

What we don't talk about enough among software engineers, is the artistic aspect of the craft of writing code.

For example, consider your client saying this to you.

"Build me a web app where a user will login. They will have a wallet to purchase subscriptions of 3 products of different prices."

Give these two statements to say, 10 devs and see how each of them will come up with their own vision of the problem and how they would implement it in their own ways.

So now you are working on a big team with say 30 people and you have a big project to work on. Different members of the team bring different styles of code to you to review and if, the Team Leader is as incompetent as mine is, they would find it troubling to understand the pull requests.

So what do you do in these scenarios? Implement Coding standards !!! They take away the artistic vision of the devs and tries to force them to follow rules like sheep.

Also the company doesn't give two shits about the code standards cuz, as long as they have working code that makes them money, they wouldn't care how the code is written.

Thoughts ?

fuck the overengineered bulshit that ZF2 is... fuck crappy mvc in web, fuck shitty design, tuck events, fuck 'security feature' that obfuscates the fucking redirect login/logout urls fuck not having your full link, but just the path everywhere, fuck whitelabeling, fuck somebody's sister, fuck me and fuck you....

requiring a login to use an app but providing no web based way to setup your account.

Motherfucking peace of shit....
Dont know to whom I should direct this to .

Was creating a new login page for web app using Quasar(vue.js). Since my application have 2 different types of user, which also have different UI, and functionality.
One is written in vanilla ( and is quiet heavy) and the other one in vuejs ( though earlier it was written in vanilla too ). Login page too was written in vanilla which was working fine.
Now just yesterday I finished a prototype for the third type of user, which is also written in vuejs. Now I decided to re create login page using vuejs. Quiet small and easy to do. Finished it yesterday itself. Now since today's morning I am trying to configure it so that it this piece of shit just let me log in. It was authentication and verifying but not letting me log in.
( On server after authentication, I set cookies/token on clients browser and auto reload the page, so during next request to server/ or during reload, server will read the cookie/token and send the specific admin panel to user)

Prick. Dick.
It was setting cookie, but not at the '/' path. Mother fucker.
It was setting cookie to the path I was sending login credentials ( which was different from '/', I.e.- /login/verify=password )
So it was setting cookie/token at '/login/verify=password'.
Even tried setting path for cookie at server. Read everything on internet. MF nothing worked. All I came across was, 'this is CORS' .... 'this is CORS'. Assholes, if it were CORS', how then I am able to make request to server and getting response without error

Only a hour ago, when I made get request to '/login/verify=password' I figured out, cookie is being sent to server for this path only. Then did some changes at server, so to send login credentials to '/'. Now that shit is working

Fucking waste of time. Wasted more than 6 hours. Asshole.

Btw, if you can suggest a better way to login, then please.

We have a 4 months long project where we have to develop some kind of web app. My assignmemt is literally 3 tables in DB, login screen, 3 buttons and one textinput. I've done it in past 4 hours. What a waste of time and effort.

A question for Web developers:
I'm planing to start working on a web part of my project. Important part is that it's supposed to be working with MongoDB. The idea is to build a small digital library, so the main functionalities should be user registering, his login, querying database for books, showing list of results and viewing pdf files up to 200MB size.

Since I have almost no experience with web technologies, I would like to hear your advices and opinions on the technologies/languages I should use and learn. Should I go with JavaScript? Php? Something third?

Please note that this is a school project on which I'm working after my job, and not something to be deployed to customers.

Thank you

When I found out that the server I use weirdly implements SSH login.
For some very odd reason (probably a historical one,) you have to access the web-app console and press a button TO GRANT SSH ACCESS TO THE F*<KING IP ADDRESS FROM WHICH I PRESSED THE BUTTON. The server blocks the wrong IP addresses outright. And only one active allowed IP at a time. This totally obliterates my plan to perform CD on this server. Why can't I just register public keys?
Then I learned several months later that they introduced a new server plan that *does* support the public-key registration. :facepalm:
I'm divided on whether to change my plan in exchange for a rather significant increase in the monthly cost.

If your SPA doesn't work with the browsers navigation buttons . . . go fuck yourself and fix your application.

At work I have to deal with an application that manages work tickets. There's a login page, an overview console and a page for each individual ticket (and a whole bunch of other pages that I'll ignore for this rant.) If I click on a ticket to view it I go to a new page, right?

What happens if I want to go back to the overview? I hit back on my browser. That should take me back!

WRONG

Nope. Because it's a single page application with no fucking routing programmed, the browser still thinks that the login page is the last page so it takes me there instead.

Like come on, good UX/UI design takes advantage of what the user expects and what the user is used to. The user expects the back button to take him back one page, and therefore it is the responsibility of a SPA developer to mimic that capability in his app. I don't know what framework this web page uses (it has none of the recognizable hallmarks of React or Angular) but for gods sake, implement a freaking router.

What i'll minded cocksucker decided it was a good idea to let the web application cache MySQL login credentials..

!rant

I need some help. For a website with some basic client login and profile, some details from client etc, what is the best web stack?

I know ReactJS and Node quite well. But React for this is probably overkill. What do you guys suggest?

So as a personal project for work I decided to start data logging facility variables, it's something that we might need to pickup at some point in the future so decided to take the initiative since I'm the new guy.
I setup some basic current loop sensors are things like gas line pressures for bulk nitrogen and compressed air but decided to go with a more advanced system for logging the temperature and humidity in the labs. These sensors come with 'software' it's a web site you host internally. Cool so I just need to build a simple web server to run these PoE sensors. No big deal right, it's just an IIS service. Months after ordering Server 2019 though SSC I get 4 activation codes 2 MAK and 2 KMS. I won the lottery now i just have to download the server 2019 retail ISO and... Won't take the keys. Back to purchasing, "oh I can download that for you, what key is yours". Um... I dunno you sent me 4 Can I just get the link, "well you have to have a login". Ok what building are you in I'll drive over with a USB key (hoping there on the same campus), "the download keeps stopping, I'll contact the IT service in your building". a week later I get an install ISO and still no one knows that key is mine. Local IT service suggests it's probably a MAK key since I originally got a quote for a retail copy and we don't run a KMS server on the network I'm using for testing. We'll doesn't windows reject all 4 keys then proceed to register with a non-existent KMS server on the network I'm using for testing. Great so now this server that is supposed to connected to a private network for the sensors and use the second NIC for an internet connection has to be connected to the old network that I'm using for testing because that's where the KMS server seems to be. Ok no big deal the old network has internet except the powers that be want to migrate everything to the new more secure network but I still need to be connected to the KMS server because they sent me the wrong key. So I'm up to three network cards and some of my basic sensors are running on yet another network and I want to migrate the management software to this hardware to have all my data logging in one system. I had to label the Ethernet ports so I could hand over the hardware for certification and security scans.

So at this point I have my system running with a couple sensors setup with static IP's because I haven't had time to setup the DNS for the private network the sensors run on. Local IT goes to install McAfee and can't because it isn't compatible with anything after 1809 or later, I get a message back that " we only support up to 1709" I point out that it's server 2019, "Oh yeah, let me ask about that" a bunch of back and forth ensues and finally Local IT get's a version of McAfee that will install, runs security scan again i get a message back. " There are two high risk issues on your server", my blood pressure is getting high as well. The risks there looking at McAfee versions are out of date and windows Defender is disabled (because of McAfee).

There's a low risk issue as well, something relating to the DNS service I didn't fully setup. I tell local IT just disable it for now, then think we'll heck I'll remote in and do it. Nope can't remote into my server, oh they renamed it well that's lot going to stay that way but whatever oh here's the IP they assigned it, nope cant remote in no privileges. Ok so I run up three flights of stairs to local IT before they leave for the day log into my server yup RDP is enabled, odd but whatever let's delete the DNS role for now, nope you don't have admin privileges. Now I'm really getting displeased, I can;t have admin privileges on the network you want me to use to support the service on a system you can't support and I'm supposed to believe you can migrate the life safety systems you want us to move. I'm using my system to prove that the 2FA system works, at this rate I'm going to have 2FA access to a completely worthless broken system in a few years. good thing I rebuilt the whole server in a VM I'm planning to deploy before I get the official one back. I'm skipping a lot of the ridiculous back and forth conversations because the more I think about it the more irritated I get.

This tuesday I saw a really badly made PHP web application. Two actually. I was giving a time estimate for how long it would take to transfer these applications to our servers. While I was reading the code it became apparent that they had more security holes than Emmental cheese. Most views had obvious SQL-injection vulnerabilities and most probably XSS too. Although I didn't think too look for XSS in the moment. It just puzzled me that this bad code even exists.

But cherry on top was that the password wasn't checked at all. The login form was on the organization's website and was sent to the selected application. But the password wasn't checked in the application. And this was made by a real Finnish software development firm, like what the fuck.

Time to redo the applications I guess. Not like there's anything wrong in that if they pay for it.

Just had the worst time ever. Tried to register to a web portal of my ISP. Couldn't even get to the dashboard. It randomly redirects back to login page. Doesn't save info. Asks for info already given in the profile when I try to add my connection and then says info doesn't match with what's in the profile.. WTF!!! I just copy pasted it from the profiles info page. :/ just gave up after trying for the 50th time. I just can't understand how someone could design something with this level of shitty user experiance.
I would just like to say fuck you to the assholes who designed that worthless portal. :/

Does the login save checkmark not work for anybody else on the web devrant? Like I always have to re-login, tried it on multiple webbrowsers too and even in a fresh VM image.

So it's been 4 months and my struggles with Power bi continues. The .net developer I once remains only a bleak memory.
So yesterday the client thought about securing reports, I appreciate the step and suggested embedding them in SharePoint Web parts and securing the access from the desktop app. The client wasn't thrilled with my suggestion as his clients might not have SharePoint, valid point. Instead he wants me to create a small web app with a login page to share the public web url of the reports.
He can't trust client by giving them direct urls but will trust them to login first and then have the url....

I just realized what a horrible fate I escaped several years ago.

I was just finishing bachelor s degree, when I was offered to write my diploma under teacher, who works in Bitrix.

I was given first tasks how to make web site on my own l, I liked it pretty much in the beginning, I installed sql database, made simple registration, login. And then I was offered to try CMS bitrix (which is essentially proprietary local version of Wordpress). With words, that I will see how much easier to work in this way.

I found myself not trusting it, something was fishy. I could not understand why, am I as beginning dev in it, could not use it for free? Why could I not making deving in it, without paying big sum per month(it was big for student-me at least).

I went to work with computer graphics during diploma then, and made minecraft analog in c# (at that time I played minecraft too much)

Now I am working with modern open source world wide supported frameworks. And recently saw a web site made by bitrix devs... They went into production without... https. And I think they are the same ones.

!rant
I'm currently working on a little side project in Go and I want to create a web page with an OAuth2 based login. So far the OAuth2 login works, but I need something to track a session afterwards.

Any suggestions? I'm pretty new to web development, especially in Go :)

For a publisher of programming books, Packt sure seems to have frequent website issues.

They asked me to build a small website they will embed in a native application with some web wrapper in Android and iOS.

But also asked me to build a login web service that will return a JWT. Done.

They want to do a native code login form that opens up the web wrapper with my small website already logged in using the login web service.

I have no idea how to proceed in the backend.

At first i tried using postman with a POST request to the sessions/sign_in route and sending a form with the authenticity token and the email and password; but CSRF stopped me. I don't want to turn it off because of reasons.

Now i am wondering how to use this JWT to generate a cookie with a session inside it that they can use in the web wrapper.

Any help would be appreciated :)