Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@spacem that was only the root of the problems. There is no sort of access control at all, and looking at the html you can figure out which pages and endpoints you can call
-
@spacem but i learned from it, the next web project had a strict line between front- and backend and every call to the backend required a login (with whitelisted exceptions). Hibernate prevents sql-injections, react prevents xss and access control exists. Apart from XSRF everything got good.
-
@YouAreAPIRate Add keycloak to this stack and you have mine (including CSRF Protection).
Btw. injection flaws such as SQL Injections are still the #1 security flaws according OWASP.
https://owasp.org/index.php/...
On my first day at work i was given the task to rewrite some code. I pulled the code, started the server and was greeted with a login-page. Instead of asking for credentials i tried good ol' " OR 1=1;#. Instand login, admin account. My boss was baffled, but instead of fixing this he decided other tasks had "higher priority". 3 years later, this still exists. I also heard some client runs the application open on the internet.
Everyone wants security, but some people decide to pull out the bottommost card in the fragile house of cards of security
rant