Web Development - WAYWO - #8 - Developers

I found a pretty serious XSS problem in a record label's video upload website by accident, emailed them with a proof of concept and they are reviewing security with their developers. Job well done I say. As long as they actually fix the issue.

[QUOTE=Tezzanator92;45561324]I found a pretty serious XSS problem in a record label's video upload website by accident, emailed them with a proof of concept and they are reviewing security with their developers. Job well done I say. As long as they actually fix the issue.[/QUOTE] Trust me 90% of the time big companies say they'll fix it but they won't

[QUOTE=Mega1mpact;45561367]Trust me 90% of the time big companies say they'll fix it but they won't[/QUOTE] Same with bugs you find. I think my dad once emailed a company called [url=https://www.ymlp.com/nl/]Your Mailing List Provider[/url] saying that emails containing http:// in front of their URLs didn't send (or something like that, I don't even know). He never got a reply. He mailed a second time, no reply. He tried to find a phone number but could find one, and finally he got a reply to one of his emails, saying they will fix it. Now a year later, no fix whatsoever. So he just changed to MailChimp instead.

[QUOTE=Cyberuben;45561915]Same with bugs you find. I think my dad once emailed a company called [url=https://www.ymlp.com/nl/]Your Mailing List Provider[/url] saying that emails containing http:// in front of their URLs didn't send (or something like that, I don't even know). He never got a reply. He mailed a second time, no reply. He tried to find a phone number but could find one, and finally he got a reply to one of his emails, saying they will fix it. Now a year later, no fix whatsoever. So he just changed to MailChimp instead.[/QUOTE] I've dealt with multiple big companies trying to inform them about critical 0days in consumer software they make. They give 0 fucks.

[QUOTE=Mega1mpact;45561994]I've dealt with multiple big companies trying to inform them about critical 0days in consumer software they make. They give 0 fucks.[/QUOTE] There are good examples to find though. Not just bugs or exploits, but also for support. i.e. CloudFlare's CEO just replies to questions on Twitter (he did it to me). MandrillApp mailed me back within 24 hours and answered all the questions I had in 1 mail (I asked them several things that were unclear in their knowledge base) without having to mail back as something was left unanswered.

[QUOTE=BoowmanTech;45561297]Is it possible to pass values into url? By pass I don't mean [url]www.xxx.co?name=BooHoo[/url] and then use echo $_GET["name"]. I mean the other way around, to pass into name a values from the script, and retrieve it later if I need.[/QUOTE] I think you might be looking for a session. do session_start(); then access $_SESSION as you would an associative array. Beware though if you have any long running processes, if the session is kept open it will block other pages using that session. I recommend using Zebra Session, this provides an SQL based session.

[QUOTE=Mega1mpact;45561367]Trust me 90% of the time big companies say they'll fix it but they won't[/QUOTE] [url=http://facepunch.com/showthread.php?t=1351764&p=43625437&viewfull=1#post43625437]haha what type of guy doesn't reply to xss emails[/url] [url]http://facepunch.com/fp_events.php?type=closed.png%22%20onload=%22alert(document.cookie);document[/url]

I set out to make a Twitter clone. Its design isnt great, the code isnt perfect either but it works... I guess. It doesnt implement MVC at all, I know thats bad. From now on, all my projects will be using AngularJS (I would have used Angular for this but I learnt angular half way through making it). Folder names arent exactly correct either, I know. [URL="http://plexrp.co.uk/mysocial/"]Here it is[/URL]. Go nuts. Heres a few pictures: Home page: [IMG]http://i.imgur.com/CkJI4Xn.png[/IMG] Profile page: [IMG]http://i.imgur.com/XwNmINO.png[/IMG] Ignore the search box. I need to change it completely.

[QUOTE=Chizbang;45564725]I set out to make a Twitter clone. Its design isnt great, the code isnt perfect either but it works... I guess. It doesnt implement MVC at all, I know thats bad. From now on, all my projects will be using AngularJS (I would have used Angular for this but I learnt angular half way through making it). Folder names arent exactly correct either, I know. [URL="http://plexrp.co.uk/mysocial/"]Here it is[/URL]. Go nuts. Heres a few pictures: Home page: [IMG]http://i.imgur.com/CkJI4Xn.png[/IMG] Profile page: [IMG]http://i.imgur.com/XwNmINO.png[/IMG] Ignore the search box. I need to change it completely.[/QUOTE] [t]http://up.nlan.org/due.png[/t] [editline]1st August 2014[/editline] oh god where's your htmlentities [t]http://up.nlan.org/OQlFx.png[/t]

[QUOTE=Silentfood;45564806][t]http://up.nlan.org/due.png[/t] [editline]1st August 2014[/editline] oh god where's your htmlentities [t]http://up.nlan.org/OQlFx.png[/t][/QUOTE] LOL! Amazing job. Cant believe I forgot about that.

[QUOTE=Chizbang;45564836]LOL! Amazing job.[/QUOTE] sanitise your forms dude, i was posting script tags on your profile redirecting to my site [url]http://php.net/manual/en/function.htmlentities.php[/url]

[QUOTE=Silentfood;45564847]sanitise your forms dude, i was posting script tags on your profile redirecting to my site [url]http://php.net/manual/en/function.htmlentities.php[/url][/QUOTE] I cant believe I forgot to do that, I did do it for the post content but not the settings *facepalm* . Done! (I think) Link is back online. Sorry for that insanely stupid mistake, everyone!

[QUOTE=Chizbang;45564725]I set out to make a Twitter clone. Its design isnt great, the code isnt perfect either but it works... I guess. It doesnt implement MVC at all, I know thats bad. From now on, all my projects will be using AngularJS (I would have used Angular for this but I learnt angular half way through making it). Folder names arent exactly correct either, I know. [URL="http://plexrp.co.uk/mysocial/"]Here it is[/URL]. Go nuts. Ignore the search box. I need to change it completely.[/QUOTE] Smaller font size and more padding should make it look nicer.

[QUOTE=TrinityX;45565769]Smaller font size and more padding should make it look nicer.[/QUOTE] Thanks for the suggestions! Yeah, need to refine design here and there.

[QUOTE=Chizbang;45564725]I set out to make a Twitter clone. Its design isnt great, the code isnt perfect either but it works... I guess. It doesnt implement MVC at all, I know thats bad. From now on, all my projects will be using AngularJS (I would have used Angular for this but I learnt angular half way through making it). Folder names arent exactly correct either, I know. [URL="http://plexrp.co.uk/mysocial/"]Here it is[/URL]. Go nuts. Heres a few pictures: Ignore the search box. I need to change it completely.[/QUOTE] Dude fix the register box, you can sign up without a password, or email.

[QUOTE=Mega1mpact;45561994]I've dealt with multiple big companies trying to inform them about critical 0days in consumer software they make. They give 0 fucks.[/QUOTE] Cloudflare set one of my sites to business-class (the plan that's like $200/mo or something) and I put in a ticket about it. That was about half a year ago. uhhhhhh

[QUOTE=vladka24;45566151]Dude fix the register box, you can sign up without a password, or email.[/QUOTE] Fixed! Email was intentional, totaly forgot about passwords. Should have focused in on the smaller details :/

I'm making this control panel for my VPS, tips always appreciated. [IMG]http://www.kiwis-are-cool.com/images/tips.gif[/IMG]

[QUOTE=Tezzanator92;45561324]I found a pretty serious XSS problem in a record label's video upload website by accident, emailed them with a proof of concept and they are reviewing security with their developers. Job well done I say. As long as they actually fix the issue.[/QUOTE] They are fixing it! However I just now discovered their search box is completely unsanitised and I can run arbitrary SQL statements. Oh dear. Do some developers just not even think of security, It's like not including any validation at the server side and assuming that because the button is hidden no one can click it.

[QUOTE=Chizbang;45565101]I cant believe I forgot to do that, I did do it for the post content but not the settings *facepalm* . Done! (I think) Link is back online. Sorry for that insanely stupid mistake, everyone![/QUOTE] [url]http://plexrp.co.uk/mysocial/prof.php?user=%3Cstyle%3Ebody{background-image:url(%27http://facepunch.com/image.php?u=251713%27)%20!important;%3C/style%3E%3Cimg%20width=200%20src=%22http://facepunch.com/image.php?u=251713%22%3E%3C!--[/url]

[QUOTE=xxxdeath;45569777]I'm making this control panel for my VPS, tips always appreciated. [IMG]http://www.kiwis-are-cool.com/images/tips.gif[/IMG][/QUOTE] "i got dumbed for posting memes, i better dumb everyone else who posts" automerge wtf cmon dude

It what you have to do to survive

[img]http://i.imgur.com/vUGqO3A.png[/img] My personal website, first website I've published. Thoughts? [url]http://dylanbienenstock.com[/url]

I don't know if any of you know of [url=https://twitter.com/r00k]Ben Orenstein[/url] (he does great ruby/rails talks) but with [url=https://twitter.com/Samb_o/status/495640981304528896]a bit of hope from me[/url] and [url=https://twitter.com/ChrisRadford/status/495706367660146689]a bit of luck[/url] it might be possible that he'll guest lecture at my Uni. Yay! [sp]Is webdev waywo sort of a general chat like programming waywo? I don't visit as often[/sp]

[QUOTE=dylanb5123;45576289]My personal website, first website I've published. Thoughts? [url]http://dylanbienenstock.com[/url][/QUOTE] Why did everyone rate me "Disagree"? :(

[QUOTE=dylanb5123;45578065]Why did everyone rate me "Disagree"? :([/QUOTE] Drop the glowing/text-shadow, it's extremely obnoxious and makes you look like a 13 year old who just discovered how to make a site (or text-shadow in this case) Also using the Garry's Mod font isn't really a great idea either. p.s get rid of the dollar signs

it looks like a fake site you'd see on gta 5

[QUOTE=sambooo;45577926][sp]Is webdev waywo sort of a general chat like programming waywo? I don't visit as often[/sp][/QUOTE] Basically; post what you want, as long as it's remotely related. Also, less people.

I did this thing... [url]http://boards.4gran.org/illuminati/[/url] [editline]4th August 2014[/editline] Code is spaghetti but it works

[IMG]http://imgkk.com/i/egw3.jpg[/IMG] [url]http://heatmaps.tf[/url] - Nearly done now, just got filters and zooming to do. Oh and a code cleanup, because it's a disgusting mess.