41

On my first day at work i was given the task to rewrite some code. I pulled the code, started the server and was greeted with a login-page. Instead of asking for credentials i tried good ol' " OR 1=1;#. Instand login, admin account. My boss was baffled, but instead of fixing this he decided other tasks had "higher priority". 3 years later, this still exists. I also heard some client runs the application open on the internet.

Everyone wants security, but some people decide to pull out the bottommost card in the fragile house of cards of security

Comments
  • 4
    If it were me I probably would just fix it. After working 3 years on a system dont you take ownership and responsibility for its shortcomings?
  • 3
    @spacem that was only the root of the problems. There is no sort of access control at all, and looking at the html you can figure out which pages and endpoints you can call
  • 5
    @spacem but i learned from it, the next web project had a strict line between front- and backend and every call to the backend required a login (with whitelisted exceptions). Hibernate prevents sql-injections, react prevents xss and access control exists. Apart from XSRF everything got good.
  • 4
    Everyone says they want security but implementing it can't take up any resources that they could otherwise translate into profit or sales if used for something else.
  • 3
    @YouAreAPIRate Add keycloak to this stack and you have mine (including CSRF Protection).

    Btw. injection flaws such as SQL Injections are still the #1 security flaws according OWASP.
    https://owasp.org/index.php/...
  • 1
    Pretty sure comments are coded as "--" in SQL but nice story!
Add Comment