yep. A coworker introduced a CSRF doing this. I had to point out that you can't ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

deckard1 on Jan 9, 2023 | parent | context | favorite | on: How to store your app's entire state in the url

yep. A coworker introduced a CSRF doing this. I had to point out that you can't just take raw input from a URL and throw it back on the page. Even after I pointed it out and gave a proof-of-concept they still didn't get it.

tlavoie on Jan 9, 2023 [–]

Right, that's usually when I go into story-telling mode, to paint a picture of exactly the sorts of things I'd be doing with the problem as an attacker. Technical vulnerability descriptions provide useful information, but people often need an idea of what it really means, to them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact