Y
Hacker News
new
|
ask
|
show
|
jobs
by
cjbprime
446 days ago
Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.
(Don't use the user input itself to encode state!)