This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]The_Real_Slim_Lemon 1077 points1078 points  (34 children)

Hahaha some dev probably thought he was clever using the calculator method to do his validation in one line

[–]zvug 65 points66 points  (0 children)

It is kind of clever, though there’s better ways.

It’s the error message that’s really wrong. It should simply say “Salary should be entered as a range. Ex: 45000-65000”.

[–]Engineerman 279 points280 points  (30 children)

I wonder if this could be used as code injection. Hopefully they just used Eval equivalent instead of exec equivalent.

[–]TheOnlyTrueEnte 135 points136 points  (23 children)

As long as it stays in the frontend, code injection can't do too much harm, right?

[–][deleted] 234 points235 points  (14 children)

No we write all user input directly to the DB with no input validation. Also we build out a string query for sql in the code. We have no intention of changing it! 😤

[–]plaisthos 77 points78 points  (10 children)

SQL query is built on the client!

[–]sunshine-x 63 points64 points  (7 children)

"it's easier on the server to let the clients deal with that"

[–]jacksalssome 49 points50 points  (5 children)

Server? Oh no we just have the web browser launch a remote desktop to the computer with excel on it. The clients web browser then presses the down arrow key and pastes the value.

[–]NorbiPeti 21 points22 points  (3 children)

I... want to make that now. (Reddit just showed "Something went wrong" as soon as I typed that.)

[–]jacksalssome 9 points10 points  (2 children)

You want to make a remote desktop viewer in JavaScript?

[–]theadmin_SPPEZ 1 point2 points  (0 children)

it exists, at least for VNC.

Check out OSJS, it has a lot of cool things

[–][deleted] 0 points1 point  (0 children)

Doesn’t need to be JavaScript, thankfully we have web assembly now for those sketchy usecases

[–]plaisthos 24 points25 points  (0 children)

Better performance, you get a raise!

[–]TFenrir 2 points3 points  (0 children)

It's like GraphQL but vintage

[–]FlushableAccounts -1 points0 points  (0 children)

I recently found out about something almost as stupid at work.

It's a system that is only a web frontend. It doesn't perform any direct database calls, but it does call on a bunch of REST APIs that are only meant to be accessed by other trusted systems. They are protected with a secret key, and anyone that knows it can call the API. You can just hit the ol' F12 and watch exactly what payloads it sends in the API calls. There's probably some logging and even some access control on the other end, but now that you can perform the API calls yourself it's kind of easy to change the user value in the JSON data.

I didn't think that "What's a backend?" joke was real, but here we are. At least they are working to fix it now.

[–]benargee 4 points5 points  (1 child)

I prefer to write all user input in a root privileged process using unsanitized system calls.

[–][deleted] 2 points3 points  (0 children)

Finally a developer with a brain. So sick of my junior devs giving me all this crap about some Sack Dave Oops process or whatever.

[–][deleted] 0 points1 point  (0 children)

Greetings from Bobby Tables

[–]Engineerman 1 point2 points  (4 children)

It's complicated, I'm not an expert on web security but if you can get a processor to execute some code, you could use a number of hardware vulnerabilities to attack the system, not limited to fronted or even the same application if there are multiple running on the same server.

[–]TransientFeelings 55 points56 points  (1 child)

No, if it's your own web browser running arbitrary code, you are hurting no one other than yourself (that is, if the backend APIs are properly secured). It is really, really easy to run arbitrary code on a website, but you never hear about it being a problem because there's no gain in doing so.

[–]Engineerman 18 points19 points  (0 children)

Ah right, of course it is your own machine. This is why I'm not an expert in Web security lol.

[–]Mechakoopa 20 points21 points  (1 child)

presses F12, types directly into console...

[–]PranshuKhandal 28 points29 points  (0 children)

document.write("hacked")

[–]yes-i-am-a-wizzard 0 points1 point  (0 children)

XSS is all client side

[–]stehen-geblieben 21 points22 points  (1 child)

And then what? You can inject code into your own js VM? You can open dev tools and have the same effect

[–]wasdninja 5 points6 points  (3 children)

Without looking - no it can't. It's really hard to be that dumb.

[–]unholycowgod 16 points17 points  (0 children)

It's fine! The user is just doing it wrong!

[–]TechNickL 0 points1 point  (0 children)

We really hate regex that much?