Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
2erXre524956ypretty bad.. and let me guess:
no source IP filter,
no request header signature,
no SSL,
... -
2erXre524956yAnd I hope you have encoded a fictitious mail address in your picture (haven't checked it yet)... 🤔
-
@2erXre5 Network wise we have a solid team, so none of this stuff is externally accessible without jumping through many hoops. And decode the string :)
-
-
@2erXre5 oh fuck i meant to say email not ip.. fuck my brain. not even simple tasks like that..
Related Rants
We have a portal which uses Windows Integrated auth that lists out all off our internal sites.
Navigating to any of these produces a URL like the one in the attached image.
Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.
So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.
Fucking nuts.
rant
done
right
auth