Details
-
Skillsphp, CakePHP, JavaScript, Node.js, Meteor.js, HTML5, CSS3, MySQL, MongoDB
-
LocationRomania, Bucuresti
-
Website
-
Github
Joined devRant on 6/14/2017
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Hey man, welcome to Romania. If you pass trough Bucharest and wanna grab a beer or something, give me a ping on Telegram @balaianu :)
-
As long as I'm not naked and I get shit done, all is good in the hood. :P
-
@Fast-Nop @dfox report the bug on GitHub :)
-
@shelladdicted it seams there are multiple #1 rules...
Mine was "never deploy on a friday". What's yours? :p -
@ScribeOfGoD Laravel is cool, but I really like CakePHP. The 3.x version is really good.
-
Star, watch and ++
Good job man! -
Ragequit :)
-
@TheOct0 not at all, it would be an awkward silance kinda show. Keeping it close to the real thing :))
-
This could be the first scene of "The dev live", the new show they should make about you and your coleagues :))
It would be an instant hit! :)))) -
We could have a field for the profile in which to add the tech we use or are good at, and that could act like group tags or something
-
@inaba Imagine getting a 200+ pages security test report, that basically lists more than half of the accessible URLs for the app and marks half of that a vulnerable to XSS attacks.
Yes it gives request headers data and response headers, but no data on what part of the page the vulnerability manifests in.
Add to that that most of these could be false positives, as we have already implemented the XSS prevention stuff for basically the whole app.
Also consider that when trying to reproduce the attack based on the report data you find nothing wrong, but since this is the third report mentioning this pages as vulnerable, you start doubting yourself.
What do you do?
In the end I asked for the live db dump and I find it.
The language change link generator uses db records for the alternative language URLs based on custom slug data. If it does not find any, it switches to GET param based URLs with the current URL and the lang to switch to.
On the testing version we had a pretty close version of the bd, but in prod some records were missing for page slugs.
So the link generator was returning an edge case version of this link, that was not filtered for XSS, and the template language apparently wasn't configured to filter this correctly.
No-one knew, because we would always get the correctly filtered, slug based links...
So the attacks went through in those cases.
It's fixed now, but man is it a pain in the ass debugging this shit!
Oh, and did I mention that only some of the attack requests were manifesting the problem? -
@inaba there are some edge cases for url based injections in this application when generating languange change links.
The template language was not able to perform cleanup for that specific case and it took a lot of time to find the culprit... -
@inaba yeah, but not for all types of XSS atacks...some of which could be mitigated by default...
-
@Bitwise the short answer: get a challenge for yourself.
Choose something to strive for, something you don't really know how to achieve.
Put in the work, bang your head against it, get some changes... -
@Bitwise in my view of the world, there are, for the most part, no good or bad experiencess, just events and the way we cope and understand them.
People get so caught up in theyr own heads that they forget how to be objective about themselves, and start spiraling inside the thoughts they create about the events they experience.
This seams to be why so many feel that life is hard, or unfair.
There is no 'fair', there is no 'just', life is not picking on anyone. There is cause, there is effect, and there is action and reaction.
This might seem cold, but thinking like this, I rarely find myself depressed or need to blame life or anything else for anything.
This is really very close to happiness, more than most people think...
There are, of course, tragic events that deserve emotional energy and are natural for us as living beings, and more so as humans, but most of life should not be taken too serious.
As in the words of a great spiritual leader from my childhood: "Hakuna Matata!" :) -
Not busy? Is that a new feature? Or a bug? :))
-
Crash & burn
:) -
I still have my projects from highschool, from when I was just learning the basics of programming...
Nostalgia trip :) -
@2lazy2debug I no have stickers either... Live is cruel :p
-
Just move to another editor... Sublime Text always works for me
-
Did they find your devRant account? :)
-
@endor oh, please share :D
-
People had an Excel file storing every password to every account on every platform, for the whole company...
Including root access to all servers, and also emails.
All in plain text, of course...
A client... -
@Wombat I've had a good experience with it, better than other database clients at least
-
@DarkMelchiah well, that should not be normal either :p
-
@DarkMelchiah editors should be invisible when using them. If they take attention from what you are trying to do using them, in any way, that is already a problem
-
Also take a look at DBeaver.
-
Once we did an entire awareness campaign for a kid with leukemia at work. The whole company also donated to his cause.
Best feeling ever!
My advice, do it!
Also, you will make new friends this way :) -
scroll up
scroll down
scroll up
scroll down
scroll...
is this wrong? :)) -
Sublime Text FTW!!! :)