Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bad ideas & worst practices - Webcamp Zagreb

1f1695d6aaebfb29c08aab76ec1d69eb?s=47 Luka Kladaric
October 03, 2014
Technology
0
68

Bad ideas & worst practices - Webcamp Zagreb

1f1695d6aaebfb29c08aab76ec1d69eb?s=128

Luka Kladaric

October 03, 2014
Tweet

More Decks by Luka Kladaric

See All by Luka Kladaric
Organizacija developmenta u internacionalnom development teamu - WebCamp 2012
1f1695d6aaebfb29c08aab76ec1d69eb?s=48 allixsenos
0
14
LAMP Scaling 101 - ZgPHP
1f1695d6aaebfb29c08aab76ec1d69eb?s=48 allixsenos
0
22

Other Decks in Technology

See All in Technology
JSAI 2022チュートリアル講演 AI哲学マップ / JSAI 2022 Tutorial "AI Philosophy Map"
0d818b57f823b5a8d845eb5d085506d2?s=48 ykiyota
0
390
sleepagotchi
0684ef0f8b92614508e0c323c3619462?s=48 fuwasegu
1
1.3k
LINE Search - Recruiting
7817a37f86a649081722e52270d2ba75?s=48 line_recruiting
0
180
SI企業が「アジャイル推し」になったら 幸せになれますか?/Can SI company be happy if it becomes “Agile stan” ?
7977a0896e60587b2690550891be2ea7?s=48 chinmo
1
1k
多様な成熟度のデータ活用を総合支援するKADOKAWA Connectedのデータ組織について
058dd218ad1491cf904b1105b94fe5a8?s=48 kadokawaconnected
PRO
0
170
History of the ML system in KARTE
290d6f09d5a1df2c2ecb6601011fe5c1?s=48 kargo113
0
510
ウォーターフォールとアジャイルと楽楽明細/Waterfall×Agile×Rakurakumeisai
83c3e0e87371c50399ac898308bdbb92?s=48 whitefox_73
1
340
セキュリティ 開運研修2022 / security 2022
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
PRO
2
2.7k
出張スクラムマスターとしての FEARLESS CHANGE な生き方
07c1e95591450e742911f01a9b12f256?s=48 naitosatoshi
1
1.1k
ROS再入門​-はじめてのSLAM-
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
330
インタラクティブなメディアの地図投影法: WebメルカトルからAdaptive Projectionsへ / MIERUNE 社内勉強会 #033
C6b97a47d5406cfdef50a5c755751c16?s=48 sorami
2
210
CADDi AI LabにおけるマネージドなMLOps
620c94b3affc3376c62540a64ce7ba36?s=48 vaaaaanquish
2
1.4k

Featured

See All Featured
5 minutes of I Can Smell Your CMS
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
18k
Become a Pro
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
3
820
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
351
21k
Build The Right Thing And Hit Your Dates
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
19
1.2k
How to Ace a Technical Interview
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
265
21k
Bash Introduction
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
597
210k
A Modern Web Designer's Workflow
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
689
180k
Music & Morning Musume
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
35
4.2k
Pencils Down: Stop Designing & Start Developing
79acae287842acf29084005533a7fb3b?s=48 hursman
112
9.8k
Making the Leap to Tech Lead
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
113
7.3k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
11
1.3k
Large-scale JavaScript Application Architecture
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
499
110k

Transcript

  1. BAD IDEAS & worst practices Luka Kladarić luka@hitlistapp.com @kll @allixsenos

    for Webcamp Zagreb 2014. 1

  2. @allixsenos for Webcamp Zagreb 2014. 2

  3. Bad ideas @allixsenos for Webcamp Zagreb 2014. 3

  4. PHP @allixsenos for Webcamp Zagreb 2014. 4

  5. Worst practices @allixsenos for Webcamp Zagreb 2014. 5

  6. PHP Frameworks @allixsenos for Webcamp Zagreb 2014. 6

  7. Any questions? @allixsenos for Webcamp Zagreb 2014. 7

  8. Kidding.1 1 for the most part. @allixsenos for Webcamp Zagreb

    2014. 8

  9. Who? @allixsenos for Webcamp Zagreb 2014. 9

  10. Luka Kladarić @allixsenos for Webcamp Zagreb 2014. 10

  11. recovering PHPholic @allixsenos for Webcamp Zagreb 2014. 11

  12. 10+ years of professional webdev (asp, php, js, python) @allixsenos

    for Webcamp Zagreb 2014. 12

  13. @allixsenos for Webcamp Zagreb 2014. 13

  14. 3 years at deviantART, a megascale web property @allixsenos for

    Webcamp Zagreb 2014. 14

  15. CTO at Hitlist, a New York-based travel tech startup www.hitlistapp.com

    @allixsenos for Webcamp Zagreb 2014. 15

  16. a lot of experience breaking things @allixsenos for Webcamp Zagreb

    2014. 16

  17. Bad ideas & worst practices? @allixsenos for Webcamp Zagreb 2014.

    17

  18. Antipatterns. @allixsenos for Webcamp Zagreb 2014. 18

  19. Lack of skill, experience and insight to recognize a bad

    solution. @allixsenos for Webcamp Zagreb 2014. 19

  20. Lack of will to find a better one. @allixsenos for

    Webcamp Zagreb 2014. 20

  21. Cowboy coder byproduct.2 2 c2wiki: Cowboy Coder @allixsenos for Webcamp

    Zagreb 2014. 21

  22. 1) Trusting user input @allixsenos for Webcamp Zagreb 2014. 22

  23. SQL injection (and other flavours of injection) SELECT * FROM

    accounts WHERE custID="{$_GET['id']}" http://mysite.com/show_customer.php?id=" OR 1=1; -- SELECT * FROM accounts WHERE custID="" OR 1=1; used to bypass login and permissions, leak sensitive information, extract entire databases... possibilities endless @allixsenos for Webcamp Zagreb 2014. 23

  24. shellshock $ env x='() { :;}; echo vulnerable' bash -c

    "echo this is a test" vulnerable this is a test $ and various other uninentional and malicious exploits from unchecked user input @allixsenos for Webcamp Zagreb 2014. 24

  25. 2) Trusting the middleware (browsers/apps, protocols, proxies, ...) @allixsenos for

    Webcamp Zagreb 2014. 25

  26. Cookies & sessions Set-Cookie: userid=32742427; • hmmmm, I wonder what

    happens if I change the id? • store as little as possible • encrypt/sign to protect against tampering • because people WILL tamper with them @allixsenos for Webcamp Zagreb 2014. 26

  27. Cookies & sessions Cookie: userid=SOMEONE_ELSE; 1. log into the game

    as someone else 2. sell their rare valuables on the marketplace 3. log in as me from a different browser & buy them 4. MUAHAHA. @allixsenos for Webcamp Zagreb 2014. 27

  28. The apps don't work for you @allixsenos for Webcamp Zagreb

    2014. 28

  29. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="10" readonly>

    <button>+</button> <input type="text" name="DEXTERITY" value="10" readonly> <button>+</button> <input type="text" name="CONSTITUTION" value="10" readonly> <button>+</button> <input type="text" name="INTELLIGENCE" value="10" readonly> <button>+</button> (circa 2004) the text fields are "read only", the buttons distribute SPARE_POINTS, what could possibly go wrong? @allixsenos for Webcamp Zagreb 2014. 29

  30. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="1000" blabla>

    <button>+</button> <input type="text" name="DEXTERITY" value="1000" blabla> <button>+</button> <input type="text" name="CONSTITUTION" value="1000" blabla> <button>+</button> <input type="text" name="INTELLIGENCE" value="1000" blabla> <button>+</button> @allixsenos for Webcamp Zagreb 2014. 30

  31. that didn't actually work @allixsenos for Webcamp Zagreb 2014. 31

  32. they EXPECTED IT @allixsenos for Webcamp Zagreb 2014. 32

  33. but... @allixsenos for Webcamp Zagreb 2014. 33

  34. <input type="text" name="SPARE_POINTS" value="0" readonly> <input type="text" name="STRENGTH" value="440"> <button>+</button>

    <input type="text" name="DEXTERITY" value="300"> <button>+</button> <input type="text" name="CONSTITUTION" value="300"> <button>+</button> <input type="text" name="INTELLIGENCE" value="-1000"> <button>+</button> now that worked. @allixsenos for Webcamp Zagreb 2014. 34

  35. I have successfully used in-transit or in-browser tampering to: @allixsenos

    for Webcamp Zagreb 2014. 35

  36. 1. obtain an expenses-covered invitation to a sporting event on

    a different continent3 3 didn't actually use it (or give my real info) @allixsenos for Webcamp Zagreb 2014. 36

  37. 2. get to the top of the leaderboard in 5

    minutes, in a game I've been playing for months and was #140 on the list @allixsenos for Webcamp Zagreb 2014. 37

  38. 3. buy stuff from / have it shipped to Croatia

    when it wasn't on the supported countries list @allixsenos for Webcamp Zagreb 2014. 38

  39. 4. pay less for goods or services @allixsenos for Webcamp

    Zagreb 2014. 39

  40. 5. get better air travel prices @allixsenos for Webcamp Zagreb

    2014. 40

  41. never, ever, trust anything that may have originated outside your

    system @allixsenos for Webcamp Zagreb 2014. 41

  42. 3) passwords @allixsenos for Webcamp Zagreb 2014. 42

  43. | id | username | password | |----|----------|----------| | 1

    | admin | admin | | 2 | joe | admin | | 3 | moe | moe | | 4 | freddie | 123456 | | 5 | wilma | moe | @allixsenos for Webcamp Zagreb 2014. 43

  44. | id | username | MD5(password) | |----|----------|----------------------------------| | 1

    | admin | 21232f297a57a5a743894a0e4a801fc3 | | 2 | joe | 21232f297a57a5a743894a0e4a801fc3 | | 3 | moe | 7f33334d4c2f6dd6ffc701944cec2f1c | | 4 | freddie | e10adc3949ba59abbe56e057f20f883e | | 5 | wilma | 7f33334d4c2f6dd6ffc701944cec2f1c | @allixsenos for Webcamp Zagreb 2014. 44

  45. | id | username | MD5("salted"+password) | |----|----------|----------------------------------| | 1

    | admin | 886023aadcd890a53976ea52a2c6866f | | 2 | joe | 886023aadcd890a53976ea52a2c6866f | | 3 | moe | 664c3b4abe62bcfa3573b8e5dd8b2608 | | 4 | freddie | 7787501ba5fb91c673983437be99e177 | | 5 | wilma | 664c3b4abe62bcfa3573b8e5dd8b2608 | @allixsenos for Webcamp Zagreb 2014. 45

  46. | id | username | MD5("salted"+username+password) | |----|----------|----------------------------------| | 1

    | admin | 328dd00fe4630672b17c5076d8f26f9b | | 2 | joe | 2b9ec8e996d1325a8d82c0687eb5ec49 | | 3 | moe | 9b20e3736d939cc51893a24175a4635d | | 4 | freddie | 1a17c349bb81758b8f576800a7dfa89e | | 5 | wilma | af72a08de64db30fae66fed8ae024836 | @allixsenos for Webcamp Zagreb 2014. 46

  47. @allixsenos for Webcamp Zagreb 2014. 47

  48. 4) inventing your own wheel a sure-fire recipe for ending

    up on this list is to reinvent something that already exists @allixsenos for Webcamp Zagreb 2014. 48

  49. like rolling your own ID generation system for the database

    @allixsenos for Webcamp Zagreb 2014. 49

  50. and then doing a TALK about it @allixsenos for Webcamp

    Zagreb 2014. 50

  51. @allixsenos for Webcamp Zagreb 2014. 51

  52. @allixsenos for Webcamp Zagreb 2014. 52

  53. @allixsenos for Webcamp Zagreb 2014. 53

  54. @allixsenos for Webcamp Zagreb 2014. 54

  55. databases have been generating IDs since before you heard of

    databases. leave Britney alone. @allixsenos for Webcamp Zagreb 2014. 55

  56. so... @allixsenos for Webcamp Zagreb 2014. 56

  57. how to NOT end up on this list? @allixsenos for

    Webcamp Zagreb 2014. 57

  58. surround yourself with people smarter than you @allixsenos for Webcamp

    Zagreb 2014. 58

  59. show them what you're working on @allixsenos for Webcamp Zagreb

    2014. 59

  60. listen when they tear it apart @allixsenos for Webcamp Zagreb

    2014. 60

  61. do it again. @allixsenos for Webcamp Zagreb 2014. 61

  62. Questions? (for real) @allixsenos for Webcamp Zagreb 2014. 62

  63. Thank you! @allixsenos luka@hitlistapp.com @allixsenos for Webcamp Zagreb 2014. 63