Helloooo! I am Moose! They/Them/He/Him I am a embedded software engineer with autism, depression and anxiaty ( Wooo! ). I post about... whatever I want... software things, mental health things... whatever I feel like Feel very wellcome to send me asks about... anything that strikes your fancy :3
266 posts
What To Do When You Spot A Broken Website
What to do when you spot a broken website
I am a very firm believer in either sticking to your principles or update them.
So when I got this error while I tried to search for C/C++ on my national job portal:
My first thought was "Huh, that is sorta funny" (especially since the code to show me the email address to report this error to was ALSO broken... meaning that whoever made the code that should run if the website broke... never tested it). And then I realized what I was looking at.
And at that point I think I had a ethical duty to notify people to get this fixed. FAST. Why?
It comes under "You are responsible for your choices". With it being understood that doing nothing is also a choice, and that taking a job where you work for, and help a company with doing evil is NOT a choice, if that is the only job you could get (IE, you did not have the power/money/mental health/time to make a choice)
It is now fixed*, so I wanted to make this post for all in the little codeblr community doing any front-end work. Web or not. With 3 lessons to learn from this.
First thing to get from this: "Everyone makes mistakes". This is one of the reason good code is not code without errors. It is code where it is easy to make changes and fix errors. You then try to find as many errors as you can with code reviews, automated testing, having a work environment that does not punish human errors( which encourages people to HIDE errors ) and so on.
Second thing: "Sanitize your user input. Always". Write code that assumes that every single user wants nothing more than to break your code and exploit its vulnerabilities.
This had NOT been done here. This error shows that characters in the string that was made from my search terms, was being run as code. As in, I, or anyone else, could run code in the middle of this javascript code. Meaning it is possible that someone could write code as part of their search that would make the javascript code do... whatever they wanted to. Including deleting the entire backend database. Or steal the info. This is why you ALWAYS sanitize your user input. Basically encode all potentially dangerous characters as something else while working on them. There are libraries like validator.js and express-validator that will do it for you, if you use javascript.
And the third thing. "Do NOT investigate further" . As soon as you confirm that your user input gets treated as code, you contact whoever is running it. If they do not take the threat seriously and it is still there after a week or two, contact established press with this info. You may read about so called grey hat hackers, who unlike black hat hackers(who is people wishing to do harm) or white hat hackers(Who are hired to try to break into a companies software to test it), are trying to find security flaws with good intentions, but are unaffiliated with whoevers code they are trying to break into. In an ideal world, doing that, and then contacting the company, SHOULD result in the company thanking them . But often it also leads to the company suing. And winning. Since breaking in to show that it is possible, is technically still breaking in. So do NOT start testing what you are able to do with the exploit you found. Report it to them, and check a weeks time later if it is fixed. If it keeps being vulnerable, contact the press. The site fixed this error after half a week. But they did it, not by encoding the dangerous characters into something else, but to simply remove them all from the user input string. Meaning that I still cannot search for "C++". Now I just get any job that contains the letter "C"... I mean... it is better... So if you take user input, and it does not brick your code in dangerous ways. You are doing better than whoever coded this for the Danish State :p
-
pianistbynight liked this · 1 year ago -
pifanjr liked this · 1 year ago -
exp-eriment reblogged this · 1 year ago -
smbdymiau liked this · 1 year ago -
neuroglitch liked this · 1 year ago -
frog707 liked this · 1 year ago -
xiabablog liked this · 1 year ago
More Posts from Moose-mousse
I am low level engineer. As such I am NEVER let ANYWHERE near a costumer or ANY decision that involves "How do you feel people should use computers?". I am a low level engineer. When you ask us such questions, answers like "Working in the shell is most of the time nicer than a GUI" or "No I DO think forcing the consumer to insert the settings for their automatic curtains in a hex code they generate based on several tables in the manual is a reasonable way for this system to work". So AS a low level engineer, I can only say... yep, put it up to 12. I once used one to melt tin and used it to solder with, and I am sure many users will face simillar needs of their toasters since that is completly reasonable behavior.
A girl who I took her degree at the same time as me, had taken a bachelor in english before becoming an engineer.
And everyone around her was ASTONISHED that a engineer would be able to write dokumentation that are readable to HUMANS. She have NEVER been unemployed. She was hired FAST.
It is HARD to learn skills that are 100% useless to whatever you end up doing. Do things you like. Study whatever you like. Have whatever hobbies. If they make you a better you, that will make you better at WHATEVER job you will end up doing.
And people WILL hire you for more. Because you WANTING to learn these skills, will naturally do with passion and enthusiasm. And want to do it a lot.
That is what people usually call "Talent".
You have it too! You ARE talented. And I beg of you, allow yourself to delve deep into these passions so you can become the best you, you can be.
The world have need of good people doing their best. Let us make sure we cultivate many such people.
If you do ANY C++, You need to watch Jason Turners!
Oh my god, I just realized I have never plugged Jason Turners youtube channel on this blog!!! This must immediately be remedied!
Not only is this man VERY easy to listen to, and give great examples of everything he talks about, from super basic begginer concepts and up to stuff about how C++ compilers decide what template classes to implement for any given use of the function. Can only be recommended. It is FACINATING how all the tiny details of C++ clicks and pops, and make that glorus optimized, and smooth machine that is C++ run. Love it
Yeeep. Also, Assembly languages is different for every CPU family (And sometimes generations within those) because the assembly instructions (Which is... ALL the keywords in any assembly language) maps 1:1 to "what the CPU can do". So if you know a bit of assembly, suddenly, you have the ability to easily look up "What can this family of CPU's do?".
Reason to learn assembly #1
You will be able to better understand the program output of your compiler (specially if using C, C++ or Rust). Because in the end people using those languages want all the tasty performance their code can achieve, knowing assembly can be pretty useful for evaluating the scope of some optimizations. "Do I really need to do this optmization or does the compiler know it already?", "Does the compiler know how to inline this lambda?", "Is the compiler smart enough to get rid of this loop for me when I enable this thing?" and so on
Not only that, but you will be able to have some intuition when comparing the performance of similar code by its assembly code.
A really cool tool abot the subject is called Compiler Explorer and it basically lets you easily analyse the output of your code online
