11

Just discovered one of our core systems had literally used api key validation of "drop into database, if exists, its fine"

Well, around 30 seconds later, I have successfully authenticated with apikey "%". Wonder why.... Sigh... Patch already pushed, but still it left bad taste in my mouth...

lesson for beginers:
validate, validate, validate. If user could touch it, treat is as broken unsafe and if used it will nuke your home. check if it will, than use it.

Comments
Add Comment