Default Index
-
Composium of sites that have their web server's default indexing functionality for some reason, when it's clearly meant to be a web app of some kind.
I'll go first!
https://myapps.taec.toshiba.com/myapps/admin/jsp/webrma/
Toshiba's RMA site fucks off if you try to go to the actual index.jsp, so here's a listing!
-
@Tsaukpaetra le fook is a .jsp?
-
@ask_compu jizzy spunk pool. Like a cumbox but much bigger
-
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
-
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Older than a .jstl but less dangerous than a .do
-
-
@HardwareGeek said in Default Index:
@Zecc said in Default Index:
Okay, maybe don't.
Good plan.
The best laid plans get fucked every step of the way...
-
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmare
-
@Tsaukpaetra kinky
-
@ask_compu said in Default Index:
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmareOnly a slightly more convoluted nightmare than flash.
-
@Tsaukpaetra said in Default Index:
@ask_compu said in Default Index:
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmareOnly a slightly more convoluted nightmare than flash.
at least flash was for clients, not servers!
-
-
@ask_compu said in Default Index:
@Tsaukpaetra said in Default Index:
@ask_compu said in Default Index:
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmareOnly a slightly more convoluted nightmare than flash.
at least flash was for clients, not servers!
Aria
-
@ask_compu said in Default Index:
at least flash was for clients, not servers!
It's pretty much like a rule 34 of tecknology. If it exists, someone somewhere has twisted it into an unholy abomination, allegedly just for , but also being completely serious.
-
@ask_compu said in Default Index:
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmareBackend? Perfectly fine as long as you're not running struts or similar piles of turd on fire. JSP has a few problems though.
-
@ask_compu said in Default Index:
@Zecc said in Default Index:
@ask_compu said in Default Index:
@Tsaukpaetra le fook is a .jsp?
Java Server Page. Think of PHP meets Java. ...Okay, maybe don't.
oh dear god no
java?! on a web server?! that sounds like a security nightmareWhy's that?
I mean, although it was originally designed to be a safe sandbox the implementations of Java browser plugins had numerous security problems. But I don't see anything that should make running Java on a server less safe than insecure-by-designincompetence bullshit like PHP.
-
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.PHP is a low bar though.
-
@loopback0 said in Default Index:
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.PHP is a low bar though.
-
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.The biggest practical problems you see among people using Java as a server relate to SQL injection and XSS, and those are both instances of the general “let's blindly substitute this string in that one” vulnerability class, which are disappointingly easy to do in almost any language. With appropriate templating libs, you don't get any of that. (Such things do exist for Java and JSP so it's not like people actually have a good excuse.)
-
@dkf said in Default Index:
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.The biggest practical problems you see among people using Java as a server relate to SQL injection and XSS, and those are both instances of the general “let's blindly substitute this string in that one” vulnerability class, which are disappointingly easy to do in almost any language. With appropriate templating libs, you don't get any of that. (Such things do exist for Java and JSP so it's not like people actually have a good excuse.)
And everyone's favorite
mysql_real_escape_string_i_mean_it_this_time
shows that's probably more common among the PHP monkeys.
-
@topspin escaping itself is a completely wrong solution to start with.
-
@GÄ…ska said in Default Index:
@topspin escaping itself is a completely wrong solution to start with.
Yes, exactly.
-
@GÄ…ska said in Default Index:
@topspin escaping itself is a completely wrong solution to start with.
I believe there was a version of MySQL long ago that didn't support bound parameters. Also, you can't use them to define anything other than values to pass in in any DB (though some DBs let you
EVAL
in a stored procedure for the goatse approach to security). Mind you, if you're taking in user-defined SQL and evaluating it (except when it's someone with admin permissions) then you're .
-
@topspin said in Default Index:
@GÄ…ska said in Default Index:
@topspin escaping itself is a completely wrong solution to start with.
Yes, exactly.
Now, that it may be done by the actual line protocol but yeah. Fucking hell, even for the DB to perform properly.
-
@Applied-Mediocrity said in Default Index:
@ask_compu said in Default Index:
at least flash was for clients, not servers!
It's pretty much like a rule 34 of tecknology. If it exists, someone somewhere has twisted it into an unholy abomination, allegedly just for , but also being completely serious.
And for flash, there was ARIA, iirc. Jfc. Some of those systems are still '"'alive'"'...
-
@Gribnit Is that for Flash? I'm sure I've seen
aria-
prefixed HTML attributes in places where there was no Flash involved
-
@hungrier said in Default Index:
@Gribnit Is that for Flash? I'm sure I've seen
aria-
prefixed HTML attributes in places where there was no Flash involvedMight refer to a related standard. There is an Adobe? product which encourages you to use Flash for your business app. I was on a project to replace one such app, and ECC memory has probably refused to retain the product name. Tbf, not sure if Flash or even ActionScript happen on the backend, but they did have a data center play for Flash beyond streaming it.
-
@Gribnit The one I was thinking of is related to accessibility. Maybe there is some Flash technology or standard that's named the same
-
@hungrier said in Default Index:
@Gribnit The one I was thinking of is related to accessibility. Maybe there is some Flash technology or standard that's named the same
I think Adobe (Macromedia?) was dry-humping the same RIA acronym, then. '99? The code I saw was partying
kindaexactly like that.They were youngThey needed the moneyThe server side Actionscript runtime also received updates with support for XML, XMLSocket, SOAP and File operations.
-
@Jaloopa said in Default Index:
@ask_compu jizzy spunk pool. Like a cumbox but much bigger
Can confirm. I was the pool.
-
@Shoreline said in Default Index:
@Jaloopa said in Default Index:
@ask_compu jizzy spunk pool. Like a cumbox but much bigger
Can confirm. I was the pool.
I've seen PL/SQL written as JSP. If the OP had been a little less Oracular it'd've been JSP written as PL/SQL, but they were Oracular well beyond that threshold. They were supposed to be writing a custom report system. What they did write, was, PL/SQL SPs as JSPs.
I suspect maybe nobody expanded the JSP acronym for them, in retrospect, it would make things a lot more explicable.
-
@Gribnit said in Default Index:
@Shoreline said in Default Index:
@Jaloopa said in Default Index:
@ask_compu jizzy spunk pool. Like a cumbox but much bigger
Can confirm. I was the pool.
I've seen PL/SQL written as JSP. If the OP had been a little less Oracular it'd've been JSP written as PL/SQL, but they were Oracular well beyond that threshold. They were supposed to be writing a custom report system. What they did write, was, PL/SQL SPs as JSPs.
I suspect maybe nobody expanded the JSP acronym for them, in retrospect, it would make things a lot more explicable.
I don't understand. Are you saying they wrapped PL/SQL in
JavaJizz/JSP?
-
@Shoreline said in Default Index:
@Gribnit said in Default Index:
@Shoreline said in Default Index:
@Jaloopa said in Default Index:
@ask_compu jizzy spunk pool. Like a cumbox but much bigger
Can confirm. I was the pool.
I've seen PL/SQL written as JSP. If the OP had been a little less Oracular it'd've been JSP written as PL/SQL, but they were Oracular well beyond that threshold. They were supposed to be writing a custom report system. What they did write, was, PL/SQL SPs as JSPs.
I suspect maybe nobody expanded the JSP acronym for them, in retrospect, it would make things a lot more explicable.
I don't understand. Are you saying they wrapped PL/SQL in
JavaJizz/JSP?Yes. And they wrapped it so hard, that it was more PL/SQL than JSP. Fundamentally, everything must have been SQL to them, it all ended up looking like a stored procedure. Pattern lock writ large, covering the entire mentality.
In short, stunning.
-
@dkf said in Default Index:
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.The biggest practical problems you see among people using Java as a server relate to SQL injection and XSS, and those are both instances of the general “let's blindly substitute this string in that one” vulnerability class, which are disappointingly easy to do in almost any language. With appropriate templating libs, you don't get any of that. (Such things do exist for Java and JSP so it's not like people actually have a good excuse.)
Using Hibernate, it throws exceptions when you try to inject stuff like semicolons or comments. Not that it's perfect protection if you're doing dumb stuff in building queries, but...
-
@boomzilla said in Default Index:
@dkf said in Default Index:
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.The biggest practical problems you see among people using Java as a server relate to SQL injection and XSS, and those are both instances of the general “let's blindly substitute this string in that one” vulnerability class, which are disappointingly easy to do in almost any language. With appropriate templating libs, you don't get any of that. (Such things do exist for Java and JSP so it's not like people actually have a good excuse.)
Using Hibernate, it throws exceptions when you try to inject stuff like semicolons or comments. Not that it's perfect protection if you're doing dumb stuff in building queries, but...
Using Hibernate, it also lazy loads collections by default, so, if you need to call a collaborator during iteration, you just tied your database connection use time to web response time.
-
@Gribnit said in Default Index:
@boomzilla said in Default Index:
@dkf said in Default Index:
@topspin said in Default Index:
But I don't see anything that should make running Java on a server less safe than insecure-by-
designincompetence bullshit like PHP.The biggest practical problems you see among people using Java as a server relate to SQL injection and XSS, and those are both instances of the general “let's blindly substitute this string in that one” vulnerability class, which are disappointingly easy to do in almost any language. With appropriate templating libs, you don't get any of that. (Such things do exist for Java and JSP so it's not like people actually have a good excuse.)
Using Hibernate, it throws exceptions when you try to inject stuff like semicolons or comments. Not that it's perfect protection if you're doing dumb stuff in building queries, but...
Using Hibernate, it also lazy loads collections by default, so, if you need to call a collaborator during iteration, you just tied your database connection use time to web response time.
Just tell it you want eager fetching where it matters then.
-
@Carnage said in Default Index:
Just
Just
Just
The doer of initial needful, tends not to be aware of eagerness, in any form, including this one.
-
@Gribnit said in Default Index:
@Carnage said in Default Index:
Just
Just
Just
The doer of initial needful, tends not to be aware of eagerness, in any form, including this one.
If you have doers of initial needfulness then lazy loading is probably the least of your problems.
-
@boomzilla said in Default Index:
If you have doers of initial needfulness then lazy loading is probably the least of your problems.
They practice lazy loading of learning about the API.
-
@boomzilla said in Default Index:
@Gribnit said in Default Index:
@Carnage said in Default Index:
Just
Just
Just
The doer of initial needful, tends not to be aware of eagerness, in any form, including this one.
If you have doers of initial needfulness then lazy loading is probably the least of your problems.
It is!