Two years ago, something very strange happened to me while working from my home network. I was exploiting a blind XXE vulnerability that required an external HTTP server to smuggle out files, so I spun up an AWS box and ran a simple Python webserver to receive the traffic from the vulnerable server.

This article is a great example why you should use your own router instead of ISP provided one

  • Wispy2891@lemmy.worldEnglish
    2·
    5 months ago

    I’m not a programmer but is it normal that the login page contains the whole main JavaScript code of a logged in user?

    Also, what’s the point of having this kind of client side api? Because you can never trust the client shouldn’t be everything server side and only return a html page with the data related to your account?

    • moira@femboys.barOPEnglish
      2·
      5 months ago

      It doesn’t matter that website loads javascript code for logged in user, as you need a token (which server will give you after a successful login) to authenticate to apis, it is pretty common to do that way

      There wasn’t a client side API, but the API was missing crucial validation of user input (eg only checking the mac address but didn’t check who is actually authenticated)