Prepping for tomorrow's interview. (I don't really have a lot of actual work to do.) It seems like one of their production sites is vulnerable to a CSRF attack, they aren't using a Content Security Policy (though they do take some steps for XSS attack prevention), and their CORS policy seems awfully permissive. I'm gathering some questions.
Zoe: Jayne. This is something the Captain has to do for himself. Mal: No! No, it's not!
'War Stories'
Natter 76: Life, Liberty, and the Pursuit of Foaminess
Off-topic discussion. Wanna talk about corsets, duct tape, butt kicking, or physics? This is the place. Detailed discussion of any current-season TV must be whitefonted.
Gudanov - Jan 22, 2019 9:24:13 am PST #4181 of 30019
Coding and Sleeping
msbelle - Jan 22, 2019 9:25:05 am PST #4182 of 30019
I remember the crazy days. 500 posts an hour. Nubmer! Natgbsb
I really really dislike getting emails from teachers about work not being done. Last week was a nonstop push to get things done and turned in and the whole time there was s long term project he should have also been working on that he was not.
Gudanov - Jan 22, 2019 9:27:13 am PST #4183 of 30019
Coding and Sleeping
I think they are using AWS elastic load balancer cookies for their session id and they are readable by javascript. That doesn't seem good. And the cookies aren't marked as secure which also doesn't seem good.
aurelia - Jan 22, 2019 9:28:07 am PST #4184 of 30019
All sorrows can be borne if you put them into a story. Tell me a story.
Seven to ten propane takes in a minivan in the parking garage adjacent to our loading dock. Three of the 4 corners surrounding the block were blocked off.
Gudanov - Jan 22, 2019 9:28:52 am PST #4185 of 30019
Coding and Sleeping
Hmmm.... I can trace their redux actions on a production site. That doesn't seem ideal either. They do address clickjacking though.
Gudanov - Jan 22, 2019 9:37:19 am PST #4186 of 30019
Coding and Sleeping
No e-mail validation. That's just weird.
Tom Scola - Jan 22, 2019 9:40:19 am PST #4187 of 30019
Remember that the frontier of the Rebellion is everywhere. And even the smallest act of insurrection pushes our lines forward.
Check you spam folder.
Gudanov - Jan 22, 2019 9:42:41 am PST #4188 of 30019
Coding and Sleeping
They just don't validate. OTOH, my simple XSS and SQL injection attacks are getting nowhere. That's good.
Connie Neil - Jan 22, 2019 10:08:48 am PST #4189 of 30019
brillig
"Hi, you should hire me because I casually hacked into your system yesterday. Your security sucks. Here's the upcoming stock report from the CEO's draft folder."
Gudanov - Jan 22, 2019 10:15:05 am PST #4190 of 30019
Coding and Sleeping
Oh I'm just doing some gentle probing to see if I can find security flaws. They don't seem vulnerable to causal attacks, but I think there is some vulnerability to a determined attack.