Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Holy hell... I was expecting some old ncurses mainframe design with shitty interface, but if it's just an href... seems like it'd be trivial to hack and cause havoc


An old ncurses or mainframe design would not have had a shitty interface like that.

It would have used more than 2 colours.

It would have used consistent capitalization.

It would not have underlined everything.

It would have divided up menu options into related groups.

* http://www.cheapraybansunglassesa.com/wp-content/uploads/201...

* https://i.stack.imgur.com/8LzMo.jpg

* http://thinview.com/images/emulator.gif

* http://hunterstrainingassociates.com/images/ispf1_25.gif

* https://as400iseries.files.wordpress.com/2013/03/libraries1....

* https://seasoft.com/assets/seasoft.com/seasoft.com/public/up...


I can almost guarantee it's a COBOL mainframe with a much more sensible UI which they put a screen scraper over to make it more "modern looking".


Just slap a web interface over everything. I was expecting something old, too. But this is worse, since it's so easy to click the wrong link.


I really, really hope there’s no JS on that page. Because if there is, given the poor design, it’s probably vulnerable to XSRF.

Gives a whole new meaning to critical vulnerabilities. Sheesh.


XSRF has nothing to do with JavaScript.

A site is vulnerable to XSRF if it doesn't use tokens when performing critical operations, critical operations are (usually) performed using HTTP POST, which can be done via form submission... token generation and validation is done server side...

You can perform a successful XSRF attack in a browser with javascript completely disabled.


Wait, so what am I thinking of? The phenomena where if you can get a website to display output of your choosing in a non sanitized way, you can abuse that to cause code to be executed by the user.


XSS (cross site scripting)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: