| ▲ | btreecat 5 days ago | ||||||||||||||||
I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev. You could change the URL of the image, and get any file off the system to download as long as the service account had read access. Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context. | |||||||||||||||||
| ▲ | globular-toast 5 days ago | parent | next [-] | ||||||||||||||||
Yeah, having learnt very similar (if not the same) lessons myself the hard way I see great value in being able to fail badly, but with low stakes. I catch loads of bugs like these from jrs before they hit prod but I don't feel like they're learning the fundamentals of security like trust, sanitising inputs, least privilege etc. | |||||||||||||||||
| ▲ | lawlessone 5 days ago | parent | prev [-] | ||||||||||||||||
sounds like how wordpress used to be. could explore all the folders and get any file of site with something like website.com/content/2010/ | |||||||||||||||||
| |||||||||||||||||