Notices by Bee O'Problem :godot: (beeoproblem@mastodon.gamedev.place), page 2

Talk I'm listening to today: https://youtu.be/EZ05e7EMOLM

The experience of ATDD (acceptance test driven development a la Cucumber Gherkin etc) definitely follows mine. They're a lot of work to write, and the customer-facing part never is used.

To expand: No customer cares that button X opens modal Y. They care about higher level stuff like "does the wizard I asked for exist? do I like using it?"

For a webapp the finest granularity that will be read is page, form or dialog. That's it.

@silverwizard Yeah. I have no objections to the flag being high severity/risk. If it weren't a false positive it could be exploitable for RCE after all.

I'm just annoyed that it wasted my time by flagging sketchy evidence of an possible exploit as being stronger than it was. I wasted time I should've been spending on issues with better evidence.

@silverwizard ZAP seems to for some reason. It'd be much better if it didn't

Today in What Grinds my Gears:
When a ZAP scan flags a "high severity, high confidence" issue based on literally nothing.

ZAP: sends a request with a hinky query string
Server: ignores all query strings
ZAP: OMG BLIND SERVER SIDE INJECTION INTO A NONEXISTENT TEMPLATE ENGINE!!!!!11one

As in previous "What Grinds my Gears" I really don't get why these scanning tools assign ridiculously high confidence values to issues where there's no evidence the vulnerable component exists.

To be safe I even wasted my time checking the server itself and the entire stack has literally zero interaction with the query string whatsoever.

I'm mainly angry due to the absurd "high" confidence ZAP is assigning the flag.

First: ZAP has no knowledge of the server's implementation. There's no way to tell a "blind" injection even exists.

Second: The evidence something bad happened is NOTHING. It's just as likely the input didn't do anything.

Third: Response time was unchanged

@silverwizard lol 🤭

@aeva damn girl are you an open source project? cuz I can't hear what you're saying... what do you mean pulseaudio?

@silverwizard that sounds nice. See you there

My #gamedev #livestream will not be happening on schedule tonight.

Got last minute word that a memorial service is happening for a good friend who recently passed is tonight. The event overlaps with my 7pm stream time.

If I'm in the mood I may do a late guerilla stream but no guarantees.

@eniko the ones that I've seen complaining the most are journalist/influencer types and, if you'll forgive the term, normies.

Folks that either want to shove their content in front of as many eyeballs as possible or folks that just want to take in content/news without having to think particularly hard about actually getting to know interesting people

@haverholm but not maroon5 or matchbox20?