| « Prev | Page 1 | Page 2 | Next » |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 11:53
•
by
CorporateFelon
|
|
I really wanted to believe that this monumental failure in security couldn't have been done by accident. I am actually at a loss for words.
|
Re: One-and-a-Half-Tiered Application Design
2007-05-29 11:53
•
by
SSilver2k2
(unregistered)
|
|
first post?
wow. Ive seen people coding open ended sql injections like this (i even did it on a few of my own first lesson websites), but to not know that you can view javascript from a browser, that's scary |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:00
•
by
Cyrus
(unregistered)
|
|
Showing this to a DBA got a long silence, a gasp, then a long groan, pretty cool to watch.
|
|
Could we stop unregistered users posting in the first 3 comments? Would cut out the majority of the "fist!" posts.
And back on topic: Ugh, that code makes my skin crawl. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:23
•
by
ForcedSterilizationsForAll
(unregistered)
|
|
Here's an idea for those "first" posts, how about their IP gets blocked. :)
And that code is just sad. Maybe it was a contractor that did it. :) |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:24
•
by
Ares
(unregistered)
|
|
Wait wait wait... you view javascript code from the browser? Next thing you are going to tell me is that you can do the same thing with HTML.
Nice try guys, but April Fools was last month. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:54
•
by
Ctrl_Alt_Kaboom
(unregistered)
|
|
Someone should be beaten with a two by four for doing something *that* stupid.
What if this had been discovered by someone with malicious intent? *looks at self* Muhahahaaa! Captcha: craaazy. how appropriate. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:56
•
by
Zemyla
|
It's true. And you know all those images on your web site? Someone can save those to their own computer as well. Even if you put in an anti-right click script. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 12:58
•
by
Badger
(unregistered)
|
|
The "Real WTF" is surely that he complained to the company and they realised he knew what he was talking about and put him through to someone who could do something about it.
|
Re: One-and-a-Half-Tiered Application Design
2007-05-29 13:14
•
by
J
(unregistered)
|
|
Not long ago, I was given the task of rewriting an ASP (VBscript) site created in 2003 that had been the victim of SQL injection attacks. The pages were passing querystrings like "user.asp?action=edit&id=1234" and "user.asp?action=add&username=foo". That was the worst SQL injection invitation I'd ever seen until today.
Just months before I was given this task, they were giving me a hard time about how my insistence on using things like type declarations and stored procedures was slowing down development time. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 13:15
•
by
diaphanein
(unregistered)
|
Those always piss me off. Its kind of fun to disable script, reload, save the file and then email the photo to the site's admins with "Your kung fu is weak." |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 13:24
•
by
dolo54
(unregistered)
|
Nothing's worse than a client who insists that you make their site un-stealable. I've had "I don't want anybody lifting my copy. Put all the text in images so they can't copy and paste it." "But they could still ocr it, or have a secretary copy it." "Well that makes it harder, so do it anyhow." Btw - fortunately due to the current market I don't have to take jobs like that anymore. Whew, glad 2000 came and went. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 13:30
•
by
Ben4jammin
(unregistered)
|
|
Not long ago, we were in the process of implementing some HR software. Part of this was on a front end server that acted as a public web server (connecting to confidential HR data in the back end database mind you). Long story short, they were having problems and decided the best way to fix it would be to put the IUSR_Servername (Internet guest account for anonymous access to IIS) in the local admin group on the web server. In a related story, our security guy now has a facial tick. Thankfully, we decided against using their software.
Moral of the story: Never assume someone wouldn't do something THAT stupid. Whatever THAT may be (SQL injection, escalated rights, etc) |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 13:51
•
by
SpiritOfGrandeur
|
|
IBM's manage now does this... or at lest and older version did. I haven't looked into the most recent one.
|
|
Maybe they should just give users direct access to the database. "If you are placing an order, you must fill out the following tables with your information..."
And another step is taken towards 100% user-modifiable content. This is the future, folks. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:00
•
by
Aaron
(unregistered)
|
|
Moving JavaScript to a .NET back-end? That's so Web 1.0! I'll bet that delivery system has almost no Ajax at all now.
The "status" vs. "theStatus" differentiation is also a nice touch. I've seen people try to differentiate between classes and locals this way ("Session theSession = ..."), and that's bad enough, but doing it with two locals takes the cake. That should be a joy for anybody to maintain. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:05
•
by
comejoyo
(unregistered)
|
...... what the suck???? sucking culo |
|
Really, I gotta say that, Alex, this is one of your lesser editing jobs. Really, the entire code section could have been taken out, and replaced with the phrase "And Moshe discovered that the SQL queries for the site were created using client-side javascript and were wholly vulnerable to SQL injection attacks".
A lot of code reading there for no purpose. |
|
This sort of reminds me of when I first learned how to create ASP pages. I used an MS Access database and promptly placed it sans-password onto the server in the root web directory. Then in my ASP database include file I wrote a nice HTML comment: <!-- get database from c:\www_root\db.mdb -->
There, now everyone who views the HTML source will know exactly how to download my open database. Perfect. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:20
•
by
john doe
(unregistered)
|
You're not acutally reading all that code, right? To me, being confronted with this code greatly enhanced the "shock and awe" effect (i.e. my jaw dropped to the ground completely, instead of halfway only). |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:21
•
by
Leo
(unregistered)
|
And where's the shock and awe in that ? You can't get a moan from a DBA with a text line... Seriously, I find most of the stories fun, even if I can't read the code. I'm an engineer, most my work is in C or assembly, so SQL/javascript/<put-your-new-favorite-fancy-tecnology-here> is forein to me. CAPTCHA: alarm - That should ring a bell, eh ? |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:47
•
by
bobbo
(unregistered)
|
Is your CV online? We're hiring at the moment. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 14:57
•
by
SuperousOxide
|
It's worse than that. Most browsers save that image to disk without even asking the user. Someone needs to do something about all these copyright violating "caches" |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 15:00
•
by
nobody
(unregistered)
|
I like how IMDB does it. They make the real image the background and put a transparent image over it, so if you right-click and save you get a blank image. View source and a short effort finds the real image URL; cut and paste into a browser, and save the picture. Only worth it for the hottest women, though. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 15:20
•
by
Feyr
(unregistered)
|
|
i'm not even surprised.
one of the developper here was surprised you could see the password in the html source because he had set the field type to "password", that should have prevented it in his mind :\ |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 15:32
•
by
B
(unregistered)
|
Hmm... where do they do that? Will it work if one uses Firefox+Adblock and block off the upper transparent image? |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 15:38
•
by
Random832
|
The problem there is false positives. Fark.com turns any occurence of "First post" to "Boobies" and knocks the timestamp to 24 hours in the future, and inevitably you see the occasional post that would make sense, in context, if the reverse transform is made to it. What you're suggesting is an even more severe negative consequence to something which, on a site where "ss" is converted to "B", will almost certainly be implemented in a "clbuttic" manner. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 15:44
•
by
James Schend
(unregistered)
|
|
>> I like how IMDB does it. They make the real image the
>> background and put a transparent image over it, so if you >> right-click and save you get a blank image. >> View source and a short effort finds the real image URL; >> cut and paste into a browser, and save the picture. >> Only worth it for the hottest women, though. Every browser but IE has an easy way to get a hold of media embedded in the page without using right-click. In Firefox, it's called "Page Info" in Tools. Click Tools -> Page Info -> Media, and there's all the images laid out neatly for you. As well as any SWF or MP3s or whatever other media the page might have. In Safari, it's called "Activity" in the Window menu, IIRC. Point is, disabling the right-click menu, even if it wasn't easily circumvented, only works in IE in the first place. (The "Real WTF" is how few people seem to know about the Page Info window in Firefox.) |
Hey this code is in fact 31337! |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:14
•
by
henke37
|
|
To be fair, even Gecko based browsers can have their context menu hijacked, if they allow it.
|
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:19
•
by
theteapot
(unregistered)
|
|
Anyone heard of a browser detection script?
Disabling right-click can be done in all browsers: http://hyperdisc.unitec.ac.nz/materials/javascript/top10/disablerightclick.htm But, it's nice to know that the author of this script doesn't like right-click disabling as well! But, as far as I know, the major browsers all let you view HTML source, so it's entirely useless, unless you don't know anything about webpages. Oh. Probably the best way to hide images is to send a link via ajax, and then set it as the background-image. Then it's not in the HTML source, and can't be found easily (like IMDB and flickr). But even then, it can be picked up by Web Developer https://addons.mozilla.org/en-US/firefox/addon/60. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:23
•
by
Andrew
(unregistered)
|
Who would write a SQL client in Javascript?!? That developer had to know less than nothing. Anyone around for 5 years knows the joys of Javascript. First, it wasn't mature enough. Then, IE and Netscape fought over setting standards. Now, everyone knows how (and why) to turn Javascript off in the browser. Also, the SQL strings make it harder to maintain the application. They waste bandwidth when only a few form values are really needed. Worse, every browser-cached Javascript page has to be changed when the SQL rules do, which the server can't control. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:44
•
by
SuperousOxide
|
Don't believe every thing that you read. It works in Firefox and IE, but Opera will cheerfully pop up the context menu, even if you change your javascript settings to let javascript see the right click. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:48
•
by
rjnewton
|
Not a bright idea. For one thing, many people move around to different publicly-accessible wireless networks, so blocking a particular IP would not block the poster for long. Secondly, many ISPs issue connections out of a shared IP pool, so blocking would block others on the same system, while blocking the offender only by chance. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 16:48
•
by
serhei
(unregistered)
|
|
> Showing this to a DBA got a long silence, a gasp, then a long groan, > pretty cool to watch.
They probably committed suicide by holding their breath. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 17:05
•
by
nixen
(unregistered)
|
Oh, please then, enlighten me. 'Cause I sure don't know "why".
Really sharp point you got there. It might waste an entire 100 bytes! Heretics!!
Most semi-decent frameworks contain ways of controlling the script tags, and thereby client caches. Just informing you, since you don't seem to know. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 17:22
•
by
RON
(unregistered)
|
|
I am seriously hitting my head really hard right now.
I can't believe that I have to compete with these people for jobs. Worse yet: Management almost never knows what kind of WTF code these people are writing since they don't know what code does anyways, and they are happy if the devs just say "yes!" and do it, even if it's in a completely retarded way. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 17:55
•
by
nwbrown
|
Or you could take a screenshot of the page, print it out, put the printout on a wooden table, take a picture with a camera, scan in the picture, and then email it to them! But yeah, disabling javascript is probably easier. Unfortunately I use the noscript firefox extension, so normally I never know the anti-right click script is even there in the first place. As for this particular wtf, this is why we need to start insisting on some sort of certification for web developers instead of allowing the 15 year old nephew of the VP of marketing get the job. Its easy enough to learn enough web development to put together what appears to be a functional website, its much harder to make one that actually does work. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 18:54
•
by
Matthew
(unregistered)
|
I guess I never noticed this little anti-rightclick "trick" because I always just dragged the images I want to my desktop. Doesn't that work on Windows? captcha: kungfu (no, seriously) |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:06
•
by
Mr Steve
(unregistered)
|
|
Someone's been playing too much counterstrike ;D
|
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:09
•
by
DKO
(unregistered)
|
Doesn't work on Firefox 2.0.0.3 with dom.event.contextmenu.enabled=false. (at least some) Distros provide Firefox with this set by default. UPDATE: oh yeah, if I release the button over the page and NOT over the menu option (which is where I would release it, I opened the context menu for that reason after all), it pops up a message box. For a moment I forgot the fact that the Mozilla developers are still retards; you still can take down the browser with an infinite loop of alert(). |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:11
•
by
nwbrown
|
Yeah, you are right. He probably should have written "anyone with half a brain knows how and why to turn off Javascript by default".
100 bytes times how many millions of requests?
No, no framework controls client caches. Because no server side code can control the client (ie, the browser). The best they can do is request the browser do something. Whether they abide by that request or not is up to the browser. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:14
•
by
Daniel Beardsmore
|
It does work, yes. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:27
•
by
Sigh
(unregistered)
|
|
Hm, not even ten posts to get the requisite "First post!", "Captcha = who gives a crap", and of course, "the real WTF is that I'm a pompous know-it-all"
|
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:41
•
by
Jon
(unregistered)
|
Oh no! The Cache-Control header is a lie! :( But seriously, nixen's idea here is that if you need to update "mylib.js", you instead create a new file, "mylibv2.js" and send back all new pages pointing to the new file. Just because you can't "control" browsers doesn't mean you can't trigger the desired behaviour in the ones that people use. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:42
•
by
chrismcb
|
Since when did Alex start spelling his name "J A K E?" Sure there was probably more code there than needed to get the point across... But it REALLY gets the point across. How are the eyes now? Did the goggles do anything? |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 19:51
•
by
htg
(unregistered)
|
|
That is just horribly stinky, but sadly I can see how the barely educated and zero common sense programmers you see all too often could think that it was cunning. What happened to security courses, and best practices courses, and architecture courses, etc, at university?
The sad fact is, this just should not be happening, full stop. SQL Injection aside, forming SQL statements is so clearly and obviously not a client-side behaviour that you'd have to be retarded to go down that path. I can understand server side code that has SQL Injection flaws - a brief demonstration and education about prepared statements usually sorts the people out and they never make the mistake again. However I don't think there's any redeeming for someone who forms SQL in client-side Javascript. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 20:42
•
by
Sir Brialliance
|
I think the right-click script war ended when someone discovered <body oncontextmenu="return false;"> I feel sad for the customers that want it - very sad. |
Re: One-and-a-Half-Tiered Application Design
2007-05-29 21:01
•
by
Kris
(unregistered)
|
*bangs head through table* |
You mean his immediate and decisive action wasn't to quit and flee the country? |
| « Prev | Page 1 | Page 2 | Next » |
Ares: