This is still over engineered. Just connect directly to the database from the client instead of having an API endpoint.
I thought that was the joke.
What could possibly go wrong. Little Bobby Tables would be proud.
GraphQL:
Stop over-engineering shit, just do everything client-side like McDonald’s: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities
My friend who helped me research the OAuth vulnerabilities was let go for “security concerns from corporate”
Good old shooting the messenger.
I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.
It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.
Does ReST mean anything anymore? It was originally a set of principles guiding the development of the HTTP 1.1 spec. Then it meant mapping CRUD to HTTP verbs so application-agnostic load balancers could work right. And now I guess it’s just HTTP+JSON?
Lmfao
Exposed deprecated cred-inclusion URI format, wheeeee
And the db name is short for “analysis”, of course
🤓🫠
Analytics, most likely
And the db name is short for “analysis”, of course
This person was probably a scientist (of any kind).
Hilariously enough, just today I read a blog post about a service where the client interacts with the database directly - https://clickhouse.com/blog/building-a-paste-service-with-clickhouse. While it’s not your traditional OLTP database, it still kinda fits.
it’s called microservice
/anal
I work with several people who would think this is a good idea.
When they push it to prod, and our WAF goes
403on every request, then suddenly it’s my problem to “fix”.Can I just say, I love that little round gif at the end. That look so cool
Thanks :)
My home instance has some top-shelf custom emojis, so I try to use them. Janeway’s eye roll gets a lot of mileage.
(one of my favorite memes)“I get why we have a WAF, but can’t you just, like, separate the good SQL injection from the bad SQL injection?” – Developers I work with 😆
I think that’s called “Heisenberg’s Uncertain SQL Injection Principle”
Unfortunately, our WAF appliances don’t have a Heisenberg compensator.
Are your coworkers 12?
I knew a person that did this
grapql in a nutshell
And OData!
I wish I could go back to rest apis. My company is all in on graphql and it fucking sucks so much ass.
also stop putting in extra work to handle queries; the user knows what they want so let them enter the queries themselves and save development time. database sanitization is just pointless busywork.
Great idea. How can we submit this to all AI scrapers?
/cybersec red teamer
