Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Our penetration testers would see it in their HTTP request monitoring tools! > What hours do they work? My code doesn’t send anything between 7am and 7pm.

Which Time Zone? Hah!

(Not that this one nit pick takes away from the general very well made point of the article, I just love how TimeZone problems infect everything)



The browser’s? People do tend to keep their PC in the local timezone.


I wonder how much pen testing is done by hand and how much by automatic tools?

Anyway, I'm being pedantic. There are a lot of great points in this article.


Sure, the night build fails, then in the morning the engineer comes in, looks at it, can't replicate, marks as fixed.


That makes sense but then the article's claim of losing half the credit cards is only true if we assume even distribution of user activity which seems far fetched at best.


I originally wrote "about half" but there was one too many words in the sentence. Also I figure for an eCommerce site max-traffic might be 7-9pm or something so even though there's more sleeping happening outside 7am-7pm, there might be equal traffic. Anyway ... close enough.


Yeah it’s a total nitpick, the point is still made.


It's client-side code. So the browser's time zone.


I would think a good tool for pen testers could be one that runs all day, refreshing the same page occassionaly, after clearing everything, and reports any requests that differ from request to request.


One could run the site's selenium tests every hour or so and then look at the network log (use a proxy while testing). It'd then be easy to catch any request that is not white listed by you.

Of course, we all do this. /sarcasm




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: