The worst company ever.

Greek company is hiring. Hooorayyyy. They want some HTML/PHP/MySQL registration form. A friend of mine sends his CV along with the registration form. They contact him and schedule a presentation of the form with their chief PHP developer. 
Background intel. The registration form hashes the passwords using SHA-2 with a salt and then the hash is rehashed using MD-5 only to reduce the size of the output. PHP source code contains some basic anti-SQLi checks and from a programming perspective the source code is fine and works under any circumstances. The HTML is mostly HTML4 and CSS is CSS3. There are some required fields in the form that he checks using javascript. Nothing fancy yet.

Time for the chief PHP developer to ask him a few questions.

-I saw that the password is encrypted. How do you decrypt it?

For fuck’s sake. I guess that when the guy hears hash functions thinks of marijuana.

-I would block multiple HTTP requests by modifying the Apache.

Yes, cause we haven’t invented neither firewalls nor sessions. I would mention IDS/IPS, apache mod_sec etc but I would go too far.

-The way you check for the required fields is HTML 5.

It’s named javascript and it is simple.

-Posting the same parameter always leads to SQLi.

It may lead to DDoS. I’d say port knocking as well but…

I’d say that these guys should be unemployed etc but… That company is hired by the greek public sector. Can you spot the irony?

Leave a Reply

Your email address will not be published. Required fields are marked *