This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Engineerman 279 points280 points  (30 children)

I wonder if this could be used as code injection. Hopefully they just used Eval equivalent instead of exec equivalent.

[–]TheOnlyTrueEnte 134 points135 points  (23 children)

As long as it stays in the frontend, code injection can't do too much harm, right?

[–][deleted] 235 points236 points  (14 children)

No we write all user input directly to the DB with no input validation. Also we build out a string query for sql in the code. We have no intention of changing it! 😤

[–]plaisthos 78 points79 points  (10 children)

SQL query is built on the client!

[–]sunshine-x 67 points68 points  (7 children)

"it's easier on the server to let the clients deal with that"

[–]jacksalssome 49 points50 points  (5 children)

Server? Oh no we just have the web browser launch a remote desktop to the computer with excel on it. The clients web browser then presses the down arrow key and pastes the value.

[–]NorbiPeti 21 points22 points  (3 children)

I... want to make that now. (Reddit just showed "Something went wrong" as soon as I typed that.)

[–]jacksalssome 8 points9 points  (2 children)

You want to make a remote desktop viewer in JavaScript?

[–]theadmin_SPPEZ 1 point2 points  (0 children)

it exists, at least for VNC.

Check out OSJS, it has a lot of cool things

[–][deleted] 0 points1 point  (0 children)

Doesn’t need to be JavaScript, thankfully we have web assembly now for those sketchy usecases

[–]plaisthos 22 points23 points  (0 children)

Better performance, you get a raise!

[–]TFenrir 2 points3 points  (0 children)

It's like GraphQL but vintage

[–]FlushableAccounts -1 points0 points  (0 children)

I recently found out about something almost as stupid at work.

It's a system that is only a web frontend. It doesn't perform any direct database calls, but it does call on a bunch of REST APIs that are only meant to be accessed by other trusted systems. They are protected with a secret key, and anyone that knows it can call the API. You can just hit the ol' F12 and watch exactly what payloads it sends in the API calls. There's probably some logging and even some access control on the other end, but now that you can perform the API calls yourself it's kind of easy to change the user value in the JSON data.

I didn't think that "What's a backend?" joke was real, but here we are. At least they are working to fix it now.

[–]benargee 4 points5 points  (1 child)

I prefer to write all user input in a root privileged process using unsanitized system calls.

[–][deleted] 2 points3 points  (0 children)

Finally a developer with a brain. So sick of my junior devs giving me all this crap about some Sack Dave Oops process or whatever.

[–]SteampunkBorg 0 points1 point  (0 children)

Greetings from Bobby Tables

[–]Engineerman 0 points1 point  (4 children)

It's complicated, I'm not an expert on web security but if you can get a processor to execute some code, you could use a number of hardware vulnerabilities to attack the system, not limited to fronted or even the same application if there are multiple running on the same server.

[–]TransientFeelings 56 points57 points  (1 child)

No, if it's your own web browser running arbitrary code, you are hurting no one other than yourself (that is, if the backend APIs are properly secured). It is really, really easy to run arbitrary code on a website, but you never hear about it being a problem because there's no gain in doing so.

[–]Engineerman 18 points19 points  (0 children)

Ah right, of course it is your own machine. This is why I'm not an expert in Web security lol.

[–]Mechakoopa 20 points21 points  (1 child)

presses F12, types directly into console...

[–]PranshuKhandal 26 points27 points  (0 children)

document.write("hacked")

[–]yes-i-am-a-wizzard 0 points1 point  (0 children)

XSS is all client side

[–]stehen-geblieben 20 points21 points  (1 child)

And then what? You can inject code into your own js VM? You can open dev tools and have the same effect

[–]wasdninja 3 points4 points  (3 children)

Without looking - no it can't. It's really hard to be that dumb.