My last internship (it was awesome). A programmer developed a vacation/free day request application for internal use.
Asked if I could test it for security.
The dev working on it thought that was a very good idea as he wasn't much into security and explained how the authentication process worked.
I immediately noticed a flaw just from his explanation. He said it was secure anyways (with an explanation but his way of thinking was wrong in this case). Asked if I was allowed to show him. He said he was intrigued by this so gave me a yes right away.

For the record, user levels were normal user, general admin and super admin (he was the only super admin).

Wrote a quick thingy server side (one of my own servers/domains) for testing purposes.

Then I started.

Went from normal user to super admin (his account) through a combination of XSS and Session Hijacking within 15 seconds.

Explained him where he went wrong and he wrote a patch under my guidance 😃.

That felt so fucking awesome.

  • 22
    That really is awesome, congratz!
  • 15
    Well done. You just set your foundation for working either with this team and company or a glowing recommendation in the future.
  • 2
    Awesome story!
  • 1
    Well done, sir! I would say that <secured> your positive feedback. But then again - you do know a thing or two about security ;) .
  • 3
    @linuxxx do you by any chance do penetration testing for companies? Im looking for one...
Add Comment