What could possibly go wrong. Little Bobby Tables would be proud.
Lmfao
Exposed deprecated cred-inclusion URI format, wheeeee
And the db name is short for “analysis”, of course
🤓🫠
And the db name is short for “analysis”, of course
This person was probably a scientist (of any kind).
Stop over-engineering shit, just do everything client-side like McDonald’s: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities
My friend who helped me research the OAuth vulnerabilities was let go for “security concerns from corporate”
Good old shooting the messenger.
I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.
It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.
I got dumped with fixing some bugs in a project written by a contractor who had literally done this but with extra steps.
Backend was sql server and c#/asp.
There was an api endpoint that took json, used xslt to transform to xml. Then called the stored procedure specified in request passing the xml as a parameter.
The stored procedure then queried the xml for parameters, executed the query, and returned results as xml.
Another xslt transformed that to json and returned to the client.
It was impressive how little c# there was.
Despite holding all the business logic, the sql was not in source control.
Seems very secure. As in job security. Because why the fuck did they make it so complicated.
Yeah, maybe the contractor thought he’d get more work fixing it but he was long gone by the time I got it so i never met him
One of bugs I got was performance because the search didn’t work, with about 600,000 assets in database it would timeout searching for one by exact match on ID. It took 45 minutes to return 1 result.
Does ReST mean anything anymore? It was originally a set of principles guiding the development of the HTTP 1.1 spec. Then it meant mapping CRUD to HTTP verbs so application-agnostic load balancers could work right. And now I guess it’s just HTTP+JSON?
The meaning of words can change yes.
https://www.merriam-webster.com/wordplay/words-that-used-to-mean-something-different
I understand it for normal words. But for an acronym? About a body of technical research? How are we supposed to refer to the thing that Fielding meant when he coined the term?
Lots of technical terms are used quite loosely I think. If you ask 10 people what a compiler is, or what functional programming is or what goes where on the OSI layers you’ll get different answers.
It’s not practical but that’s the world we live in.
I did this just to reduce network latency. It’s not for public use, and tbh, I don’t think you can even get at it from outside the VPN.
Pentesters: “Bet”
I haven’t been down to test their public wifi in the cafe to see if that can access it.
The guy who installed it used to work for us and is a known clown, so it’s entirely possible.
Although if it is, there’s way worse things they can do from there. Like connect to the actual database for a start.
Does the database use the same authentication and permissions as the API? If the API authenticates against the DB with a technical user, it may be still be an exploitable vulnerability for people who can’t access the DB directly but can access the API. I don’t know what database it is, what other databases run on the same server and what privileges might be achievable or escalatable, but generally “there are worse weaknesses” isn’t a solid security policy.
You could give me a VPN access and I’ll take a look around :p
(Please don’t, actually – in case it needs to be said, running pentests on prod is a dangerously bad idea already even before we get to the whole “trusting a stranger on the Internet just because they sound sorta knowledgeable” issue)
Why not?
We did that for a Plotly dashboard in Python. We copied the database into a read-only in-memory sqlite database (it is quite small, only a couple thousand entries) to prevent any damages outside the dashboard. The data only gets updated every couple of days. You could skip this step. Then with sqlite you can restrict what action a query can use (SELECT, JSON, etc.) and you can restrict the instructions per query to prevent denial of service. It works like a charm and is much simpler than providing a REST API. Also the user might already know SQL.
I am actually planning something similar for a task management web app I am building at the moment (additionally to providing a REST API). No need to learn another query language like in Jira.
