I got dumped with fixing some bugs in a project written by a contractor who had literally done this but with extra steps.
Backend was sql server and c#/asp.
There was an api endpoint that took json, used xslt to transform to xml. Then called the stored procedure specified in request passing the xml as a parameter.
The stored procedure then queried the xml for parameters, executed the query, and returned results as xml.
Another xslt transformed that to json and returned to the client.
It was impressive how little c# there was.
Despite holding all the business logic, the sql was not in source control.
This is still over engineered. Just connect directly to the database from the client instead of having an API endpoint.
I thought that was the joke.
What could possibly go wrong. Little Bobby Tables would be proud.
Stop over-engineering shit, just do everything client-side like McDonald’s: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities
My friend who helped me research the OAuth vulnerabilities was let go for “security concerns from corporate”
Good old shooting the messenger.
I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.
It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.
GraphQL:
Lmfao
Exposed deprecated cred-inclusion URI format, wheeeee
And the db name is short for “analysis”, of course
🤓🫠
Analytics, most likely
And the db name is short for “analysis”, of course
This person was probably a scientist (of any kind).
But also, perhaps a proctologist
Does ReST mean anything anymore? It was originally a set of principles guiding the development of the HTTP 1.1 spec. Then it meant mapping CRUD to HTTP verbs so application-agnostic load balancers could work right. And now I guess it’s just HTTP+JSON?
it’s called microservice
I work with several people who would think this is a good idea.
When they push it to prod, and our WAF goes
403on every request, then suddenly it’s my problem to “fix”.Can I just say, I love that little round gif at the end. That look so cool
Thanks :)
My home instance has some top-shelf custom emojis, so I try to use them. Janeway’s eye roll gets a lot of mileage.
(one of my favorite memes)“I get why we have a WAF, but can’t you just, like, separate the good SQL injection from the bad SQL injection?” – Developers I work with 😆
I think that’s called “Heisenberg’s Uncertain SQL Injection Principle”
Unfortunately, our WAF appliances don’t have a Heisenberg compensator.
Are your coworkers 12?
/anal
That’s a backdoor
Hilariously enough, just today I read a blog post about a service where the client interacts with the database directly - https://clickhouse.com/blog/building-a-paste-service-with-clickhouse. While it’s not your traditional OLTP database, it still kinda fits.
grapql in a nutshell
And OData!
I knew a person that did this
I wish I could go back to rest apis. My company is all in on graphql and it fucking sucks so much ass.
Great idea. How can we submit this to all AI scrapers?
/cybersec red teamer
