18

Tip: Never add an execution (PHP for example) script as a bookmark in your browser..

Your browser will occasionally poll the saved URL to update the favicon or sync to the server or something like that, which triggers the script without you knowing...

Comments
  • 4
    Isn't that why get requests should be safe?
  • 2
    @alexbrooklyn yeah.. But this was a file on my localhost I executed once in a while a long time ago for some automated stuffs. Was probably added by accident via a key combo or something like that.
  • 3
    Have you ever heard about cron jobs?
  • 2
    @sgzadrian manual trigger when you don't want to wait for the cron and can't be bothered jumping onto the server.

    But NO you shouldn't keep said files located in a place that A) can be triggered accidentally or B) in a place that randomly fires requests.
  • 1
    That's why there should be no unsafe API endpoints that respond to GET.
  • 2
  • 2
    I think the lesson learned here should be: don't perform fucking actions on GET requests.
  • 0
    @roger haha well.. something exactly like that. 😂
  • 0
    @kescherRant @stacked Absolutly true. But I sometimes use php scripts for local stuffs as a random example (should switch to shell scripts instead) to create backups and whatnot (no server or API stuff)
  • 0
    I guess you don't have authentication as well then : )
  • 0
    @stacked for some scripts not, because some are local files that you have to know where they’re stored and you’d have to have access to my actual device (+ nothing security or data related). The bookmark was by accident via a key-combo probably.
Add Comment