I find myself thinking "wow, what an obvious bug. How did Microsoft not catch that?" but then I think back to some of my own extremely obvious bugs. Thankfully my code is much lower impact.
I still think of the lessons learned from a root traverse bug I accidentally coded into one of our internal apps as a jr dev.
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
Yeah, having learnt very similar (if not the same) lessons myself the hard way I see great value in being able to fail badly, but with low stakes. I catch loads of bugs like these from jrs before they hit prod but I don't feel like they're learning the fundamentals of security like trust, sanitising inputs, least privilege etc.
btreecat|5 months ago
You could change the URL of the image, and get any file off the system to download as long as the service account had read access.
Invaluable XP, and really glad everything was behind AD authentication and internal users were trustworthy enough and operating in a network isolated context.
globular-toast|5 months ago
lawlessone|5 months ago