Hacker Newsnew | comments | show | ask | jobs | submit login
My weekend project: anonymous, realtime message board with socket.io (oak.io)
45 points by ecto 1064 days ago | 43 comments



Do NOT go to this service! It does not filter JavaScript and so is succeptble to XSS and other hacks. I sent on and clicked on a chat named 'Natalie portman' and it can up with an alert box that said 'no chance bro' and kept on popping up and I had to shut down my browser. Other than that - pretty kewl! Is the code open source?

-----


I actually got tricked by that too haha. I went into the database and deleted that, and pushed a fix to production.

-----


You are now totally qualified to start a Bitcoin bank.

-----


I laughed a bit.

-----


Who cares if it's open to XSS? Does the site have a cookie you care about?

If it's truly anonymous, then it doesn't matter if someone forges your cookie.

-----


Let me start by saying that the notion that XSS can only be used to harvest cookies is a very common misconception. The truth is that, with XSS, any action a user may do on the vulnerable site (that doesn't require a password) can be mimicked.

With an XSS vector in the board title (meaning the JavaScript would be injected into the page listing all boards) it would be possible to force all visitors to participate in a DDoS attack against this site. If I'm not mistaken, it would be possible to force the participation in a DDoS against ANY site. I'm fairly certain that cross-site ajax works fine in modern browsers, but without cookies to prevent abuse- cookies are not necessary for DDoS.

Edit/Note: This does mean that any site could force visitors to participate in a DDoS attack. What prevents this from becoming common is the number of visitors required for a DDoS attack to succeed.

This would probably not work on this site because the number of users is only ~6000. I don't know how many users would actually be required to dent a typical site. I do know that "Anonymous" recently used a client side DDoS tool on a large number of users.

Edit 2: In light of http://news.ycombinator.com/item?id=4000301, I'll point out that XSS could result in the forced posting of illegal content, as well.

-----


It is a fun little site, I really enjoyed playing with it. You really need to add some spam prevention, title & comment length limits, fix exploits, etc.

I wanted to play around with it some more, but it's just pure spam now.

-----


Thanks! I really hate spammers :\

-----


This is just on a small Joyent server, running one process. I started it Friday night so there's still a few holes.

-----


Yeah, like it's not anonymous. Someone figured out that you can see all ip addresses (tied to comments) when you open up firebug.

-----


I fixed that actually. You can still get around my fix but I will fix the fix later.

-----


So it's totally anonymous except you store the IP addresses, huh?

-----


Correct.

-----


Pretty misleading.

The whole point of your experiment was to see how people would act if completely anonymous, right? They aren't. So your experiment is flawed.

-----


I can't reply to you so I'm replying to myself.

I honestly thought you were going for full anonymity. In fact, my first thought was that you were taking it a step further than 4chan and that it would be interesting to watch.

-----


They're anonymous in the context of the conversation. Anytime you visit a website, you know your IP is being logged.

-----


Seeing as how there aren't terms of service maybe YOUR flawed. It's a web app that never guaranteed your privacy.

-----


"oak is an experiment. what will people act like if they are truly anonymous?" His words.

Note that I'm not "mad." I only pointed out that it was misleading.

-----


It's like real-time reddit.. its be fun, but probably hard to make constructive, lol

I like it, and envy the fact you could just create this on a whim over a weekend. I wish I had that kind of discipline when it comes to some of my spontaneous ideas!

-----


This is actually a lot of fun man, kudos.

-----


Thanks! I had a lot of fun writing it!

-----


Are you planning on open sourcing the code via Github or something? I haven't built a Node app myself just yet, would be interesting to see how you did it.

-----


I think I might! The code is still kind of gnarly right now but I'll clean it up this week and decide then.

-----


Cool one!

It'd probably be a good idea to crop titles and contents if they exceed a particular length.

-----


Doing this right now!

-----


Pushed a limit of 200 chars

-----


Might want to stop same IP from posting over and over again...

-----


I added a limit of 15 posts per minute for now

-----


What if you try 1 post per 30 seconds ?

-----


I guess he's NOT GOING TO GET BANNED....

-----


I just added a basic spam detector and truncated title lengths :|

-----


Also I had to upgrade my RAM pretty fast haha. Should be better now.

-----


Nice work dude! This is like 4chan, but real-time :D

-----


I'll take that as a compliment haha.

-----


Nice MVP with critical mass reached.

-----


What kind of server do you use?

-----


This is just a single process on a Joyent SmartMachine. It's the first time I've used them and I've been pleased!

-----


nice

-----


cool

-----


So you built 4chan without the user base.

-----


lol the xss possibilities on this thing are making me drool a bit

and that guy is not going to get banned

-----


I patched up the ones that were apparent, but I'm sure there's still some open.

-----


oh trust me, there are still plenty. depending on how you handle the spamming and stuff, I might even contribute the ones I find myself.

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: