Hacker News new | ask | show | jobs
Show HN: Newsboard – A Hacker News Clone (newsboard.robdelacruz.com)
24 points by robdelacruz 2122 days ago
8 comments
jenoer 2122 days ago
@robdelacruz: I have a few security-related findings for you that you might want to take a look at:

- I can inject any JavaScript in Titles, Tags and possibly other locations.

- By manually changing the value of the `userid` cookie, I can log in as any user ("1" for admin). This also allows me to access the admin section of the website.

- It's highly recommended to enable "HttpOnly" for session cookies. (Secure and SameSite should also be more strict if the application allows it)

Other remarks:

- There should be a limit on the length of submission titles, these are close to infinite it seems.

Edit: It seems others are completely defacing the board by using these tricks. I just want you to know that it's not me.

link
robdelacruz 2121 days ago
Thanks for the bug reports. Much appreciated. Will take a look at these one by one. Hopefully to get the site back up and running.

Source code is at: https://github.com/robdelacruz/newsboard

link
zxcvbn4038 2122 days ago
This is why we can’t have nice things! Citibank had the same issue five or six years ago where once you logged in you could change the URL to any account. I think they lost something like $36 million before the hole was plugged.
link
willio58 2122 days ago
This is hilarious, people are having a javascript alert conversation on this site.
link
krapp 2120 days ago
It looks like you're using HTML form maxlength attributes to determine the maximum length for elements. I hope you're also validating that on the server somehow, because of course anyone can simply delete those before posting.

Remember, no one even has to go through your form to make a POST request to one of your endpoints (unless maybe you're using CSRF tokens, which you don't seem to be). Never assume that what you send to the user has any relationship to what they send back, and never validate on the front end.

link
robdelacruz 2120 days ago
You're right, there's no validation on the server. Need to fix those.

As quick fix to get the site up and running again, I just trimmed off any overly long title or cat beyond a certain limit of chars.

link
robdelacruz 2121 days ago
(OP here) Hi guys, thanks for checking out newsboard.

Source code is here https://github.com/robdelacruz/newsboard

I will look into fixing the security bugs to get the site back up and running. Feel free to check out the code.

If you have time to waste, check out my "unix fortune2" web page to get your unix fortunes. It's a clone of 'unix fortune':

http://fortune2.robdelacruz.com/

link
robdelacruz 2121 days ago
Site is up again: http://newsboard.robdelacruz.com/
link
brian_herman__ 2122 days ago
i think someone figured out how to include their own javascript inside the website i got two alert boxes when i opened the page.
link
freetonik 2122 days ago
Looks neat and tidy. Is it open source?
link
iKevinShah 2122 days ago
The first link on the demo is this - https://github.com/robdelacruz/newsboard

Seems like the source

> newsboard - a bulletin board and bookmark sharing site (inspired by HackerNews)

link
robdelacruz 2121 days ago
OP here. Right, that's the source:

https://github.com/robdelacruz/newsboard

I used plain css from scratch to keep it small. I tried to copy the HackerNews look, but using Flex instead of Tables.

link
DarthGhandi 2122 days ago
It looks like it's using this hugo theme but I may be wrong.

https://themes.gohugo.io/hugonews/

link
whinvik 2122 days ago
Is the source for HN available?
link
detaro 2122 days ago
A older version/variant is part of the Arc sources (http://www.arclanguage.org/ ), but the code running the actual site is not.
link
pcdoodle 2122 days ago
Very cool!
link
maps7 2121 days ago
You should probably take this down now
link