!Story

The day I became the 400 pound Chinese hacker 4chan.

I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.

They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...

And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.

So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.

I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.

After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.

I then minify the whole thing and stash it in the minified jquery file.

So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.

Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.

So we GIVE the penetration team login credentials... they log in and start trying to crack it.

I sit and wait. Grinning as fuck.

Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.

We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.

"We think you may have been compromised by a Chinese hacker!"

I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.

My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.

If only it was more common to use video in these calls because I WISH I could have seen their faces.

Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.

Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.

I think about adding a "We don't use cookies"-popup to our upcoming website rework.
Why not list other things? "We don't store your IP-address"-popup? Or "We use HTML"-popup?

I'M BACK TO MY WEBDEV ADVENTURES GUYS! IT TOOK ME LIKE 4 MONTHS TO STOP BEING SO FUCKING DEPRESSED SO I CAN ACTUALLY STAND TO WORK ON IT AGAIN

I learned that the linear gradient looks cool as FUCK. Honestly not too fond of the colors I have right now, but I just wanted to have something there cause I can change it later. The page has evolved a bunch from my original concept.

My original concept was the bar in the middle just being a URL bar and having links on the sides. If I had kept that, it would have taken me a few hours to get done. But as time went on when I was working on it, my idea kept changing. Added the weather (had a forecast for a while but the code was gross and I never looked at the next days anyways, so I got rid of it and kept the current data). I wanted to attempt an RSS reader, but yesterday I was about to start writing the JavaScript to parse the feeds, then decided "nah", ended up making the space into a todo list.

The URL bar changed into a full command bar (writing the functions for the commands now, also used to config smaller things, such as the user@hostname part, maybe colors, weather data for city and API key, etc)....also it can open URLs and subreddits (that part works flawlessly). The bar uses a regex to detect if it's a legit URL (even added shit so I don't need http:// or https://), and if it's not, just search using duckduckgo (maybe I'll add a config option there too for search engines).

At this very moment it doesn't even take a second to fully load. It fetches weather data from openweathermap, parses it, and displays it, then displays the "user" name grabbing a localstorage value.

I'm considering adding a sidebar with links (configurable obviously, I want everything to be dynamic, so someone else could use my page if they wanted), but I'm not too sure about it.

It's not on git yet because I was waiting until I get some shit finished today before I commit. From the picture, I want to know if anyone has any suggestions for it. Also note that I am NOT a designer. I can't design for shit.

Today I discovered localStorage and sessionStorage.

Thank you.

Today another story in this stupid company:
A freelancer created a feature to pay orders online . It took him 3 months (!)
Problem: sometimes people pay, but orders are not stored. Every morning, it takes 1 hour to check in db if the orders are stored, and if not, create them manualy
Yes, orders are created after payment.
Manager wants to fix it by creating the order before the payment, in 3 days (!)
Turns out that the freelancer has written a lot of obsolete code, I now have to clean up. 3 fucking months vs 3 fucking days!
And on top, the shoppingcart was stored in localstorage! (Already fixed by now)
Fuck this, I'm getting another wodka

it was not a technical interview.
just screening.

guy: tell me smth about redis.

me: key value, in memory storage.

guy: more

me: umm, the concept is similar to localStorage in browsers, key value storage, kinda in memory.

guy: so we use redis in browsers?

me: no, I mean the high level concept is similar.

guy: (internally: stupid, fail).

The platform my school is using was obviously designed and developed by people who hate students.

I've seen the teacher panel, and it looks really intuitive, allowing you to see test scores, missing assignments, attendance records easily, and it was obviously well thought-out

however, the UX as a student is a goddamn nightmare

First of all, there's like 5 different places where an instructor can post an assignment, so good luck keeping track of your work

Second of all, there's no way to sort assignments by completion status or due date. Just by when assigned

Third of all, the only way to see your grade in a class is if you dig through a series of menus and submenus and sidebars so complex and stupid it puts the Jira UI to shame

And finally, one of the 'features' of this platform is that students can submit a textbox with markdown formatting natively on the platform. And that should work great and all, but APPARENTLY THE FUCKING DEVELOPERS HAVE NEVER HEARD OF LOCALSTORAGE AND YOU JUST LOSE YOUR WORK IF YOU EVER CLOSE THE TAB FOR ANY REASON!

WITH NO FUCKING WARNING! NOT EVEN A LITTLE JAVASCRIPT ALERT OF ANYTHING!

JUST POOF! AN HOUR OF WORK GONE! YAY!

In conclusion, fuck you

"Wow, you knows how to hack the system"

Me: Well... I was one of the creators of that system...

Me inside: Please don't use localStorage ever again

Why people use cookies when you can use local storage and session storage?

I inherited a nextjs project from an unknown guy and am fangirling the codebase

But the deeper I familiarise myself with it, the more the cracks begin to appear:

1) The dude Is incapable of grasping the basics of DRY concept. He actually setup a ton of stuff I may have done poorly if I'd started working straight out of the docs, so I feel like I owe him a shower of praise. I guess being new to nextjs makes it look more impressive than it actually is. He was paid off, yet getting the credit seems unearned to me. I'm just afraid reaching out to him might turn around to bite me in the ass
***

I had the above in my drafts, contemplating sending him a token to show some appreciation for unknowingly showing me the ropes. I was going to find him on LinkedIn using his commit names. But after doing everything I've done, undergoing the anxiety and severe pressure I faced at the hands of the project owners, I'm not sharing a farthing with anybody

Yes, I may not have known about zustand and persist middleware. Yes, he did all the ui. Yes, he created the base components and fancy wrappers around form and button html elements. For those, I'm grateful

But the amount of refactoring I had to do to, for an opportunity to implement my own target features, I'd say I can lay as much claim to the project as he does.

Side note #1: I have some newfound respect for front end devs. We used to discriminate against them for doing just css but that was only relevant in the jquery days. Now, they have to use cryptic css frameworks (sass, less, tailwind), they have to learn esoteric syntax of some js framework and write controllers/components as the case may be. They have to (the worst part), bind this data to an API, which would never make sense to me coming from a php ssr-natural world

Back rewarding the guy, some of the challenges I came back from were:

1) Next server outages: I still don't know the workaround this. The app terminates, browser giving an error about using up memory. I have to wait for about 10 minutes before I can access the app again

2) spring Webflux authentication not hydrating: I was unexpectedly asked to work on the back end too, where I got tortured with this horrifying condition. The most poorly documented framework for the Web has no upto date guide on how to implement jwt security measures. I opened a question on stackoverflow. A day later, both my question and the helpful answer got downvoted

3) Zustand not retrieving any data from localstorage once page reloads, until I miraculously stumbled on a hack: there's a config callback for reading state after rehydration or thereabout. So I interact with the state there. That's the only way content clearly in localstorage can get transmuted into dynamic format accessible by the code

4) Mongo database suddenly disconnecting: for no apparent reason, this bailed. Accessible on compass. This was even when I realised it was responsible for front end requests not going through. Eventually created a new database and requests surprisingly began connecting again. Thankfully, my laravel background taught me about seeders so I had them on standby from the onset. Wasn't difficult to just port to a fresh database after confirming the first one was inaccessible to the app

After this painful odyssey and the time constraints, threats of moving forward with someone else, I deserve every dime they deem me worthy of and more

It's incredible how many sites don't check / handle localStorage permissions.. they usually just completely break.

That is they use a div to block the view despite the page usually still working ..

There literally is an API to check for permissions..

So past week our Web Design teacher proposed a little HTML5 project for the class to make. I have been since that day until today trying to implement an OBLIGATORY drag and drop functionality to reorder a list and back it up to localStorage, but for some reason it wont work as it should. But what a surprise, today I arrive at class and he has changed the specifications of the project, allowing us to not implement that, or implement it differently. That singlehandledly made my day.

So I'm looking for a tutorial somewhere to manage auth with react.

I have passport local setup with jwt in express, but looking to manage users in the front-end, managing the user state app wide, logging out, protected routes etc.

I've done some searching around but I can't see anything to concrete. Any pointers or articles would be great.

I was thinking of localStorage but not sure how to go about setting that up with react.

Here we go. GDPR(?) again.

Don't know where to ask this kind of stuff, SO is prolly too much and from my experience, you guys here always gave the best answers to stuff..

I'm currently working on a website as a project for finals (it's called Maturita/SOČ here :/) and it's supposed to be a dasboard where teachers can add some info about upcoming stuff and shit like that. Few things: No frameworks, just JS, PWA and Firebase. I've been hearing a lot of stuff about GDPR that I should comply with it and so on.

Here's the question: It's PWA and the data is currently stored in localStorage and planning to sync it to Firebase. What I store is name of the school, few URLs they enter in and the information they provide, like the upcoming events and such. Should I worry about GDPR in this case, and if so, what can I do?

How Microsoft expect anyone to develop using any technology they introduce with so many limitations.
Moi a Microsoft dumb enthusiast said to myself : hey dude you are a developer stop whining about the app gap bust a move create decent array of apps and release them, went into a full project management mode wrote requirements did sketches and some prototypes, time to execute.
1. first app: image files organizer, viewer , with some light editor capabilities and album creator after some work i came to discover that you don't have a proper file system APIs to show a folder tree view in my app "WTF" there are work arounds and dirty solutions but seriously? i can only access the stupid media folders created by Microsoft and that's it.
so i ditched the apps until uwp become a development tools with target audience other than kids who eat crayons, and while using "Edge" i thought to my self : "you know what dude extensions are cool and if you do something like a speed dial it would be awesome"
fire up my text editor started writing my extension to discover that:
"you cannot use localStorage from local HTML files".
moral of the story
MS is failing with consumers not because people hate MS but rather MS hates itself like no engineer over there said to him self this is fking stupid ?
other limitations :
no proper system tray access
no registry access what so ever
and i have started 2 days ago.
yeah Ms this is the main app gap problem the uwp sucks big time. compared to android Java which has a great access to every aspect of the device even apple provide better APIs for their systems.
if uwp is MS future then rip MS.
please i stand corrected if anyone knows better.

Last fight was with a teammate. He turned so paranoic about using JavaScript. He says that using tools from the browser like localStorage id a risk and can fail easily. (The detail here is: if you ask him what is ES6, you blow his mind)

The worst thing about cookies is that almost all pages forget / don't realize you have to handle cookie ( -> localstorage ) permissions!

thanks to @olback i learned about localStorage today. excited me started to implement this. after half of the refactoring was done i had the brilliant idea to test it with the intended ie11 after everything was fine with firefox. only to find out localStorage is not supported for local sites.
fml

redux? why use redux? while you can put all global state in localstorage. (hmmm... -_-)

Since my question, in all likelihood, won't get answered on StackOverflow, I hope I can ask it here instead. I hope that's alright.

So, I am currently developing a Feathers + Nuxt boilerplate, and am using localStorage to store the jwt.
But I noticed if I set the localStorage with the jwt manually, it will act as if I'm logged in, bypassing the entire login-function. So I solved this by using an iframe with a script that clears localStorage (and log out the user, if logged in) when something changes in the localStorage (by using the eventListener "storage"). (I am also observing the iFrame if someone deletes it, in the console, and re-inserts itself).

My question is if this would carry any security risks? Like, would this be a bad thing to do, security wise? Is it alright to leave it alone and let users/visitors to set the jwt manually?

i understand way too little about web data types. while having to store a shitload of data in cookies (sorry for that, no localstorage for local sites, insensitive though) i was so proud of compressing strings with bitshifting only to find out that uriencoding bloats chinese characters massively up. fml

Just finished connecting my task manager (to-do list basically)using(angularjs,php)to my back end(it used localstorage previously now uses php and MySQL) now I can login ,register new users,create new tasks, set as priority.