*the author called me a kid in one of his passive-aggressive comments.
In this post you will see why security should be taken seriously ...
For further actions, you may consider blocking this person and/or reporting abuse
How you trivially misrepresented what the article claims, ignored the disclaimers made and the conclusion reached, and then compiled the half a dozen hours of guided tinkering and troubleshooting that went through the process of writing this article to pretend it was trivial with the sole intent of ridiculing someone for the crime of asking for feedback.
All of this to finally miss the point. The existence of this article proves the measure works for what it was designed to do (protecting the UI controls against fiddling employees).
Someone able to do this (specially without the guidance from the developer) could just as easily find the endpoints in the source code and work from there, no playing with the UI required.
I thought you said the pentester used a tool to alter the responses?
Are your fiddling employees capable enough to install and use the hacking tool that the pentester used, but not capable enough to understand the code?
You miss the point. You can, for example, mess around in the devtools to change the body of incoming responses. You don't need the tool.
I hope you learned something.
I learned that some people are not worth 6 hours of conversation. Thanks for the lesson.
When you ran out of power attacking my ideas the only thing you can do now is attack the person. It seems you learned nothing, which is a shame.
"when you ran out of power attacking my ideas" is a weird way of spelling "trying to disprove your point I ironically proved it".
My goodness. I signed up exclusively to tell you what a sore loser you were. Hopefully not a year later.
Nice clear example, how long did this take to complete?
I had the knowledge to do this in 10 minutes, the time it took to write this article. Took me 6 hours to explain everything to the author and handle his passive-aggressive comments.
While I'm a security enthusiast, my main work area is around front-end architecture. I would expect a well prepared hacker to just laugh at this.
Some 6 hours, with me helping all the way. In the original article you can "follow" the process.
If it makes you feel better, let's say you helped me. Even so, it seems like 6 hours is a pretty low entry barrier to something your pentesters deemed secure enough.
There is no other way of interpreting it. But if it makes you feel better, let's say 6 hours driving with a GPS gets you to your destination just like 6 hours driving taking random turns.
They deemed it secure enough based on the profile of the potential attackers. And as it turns out, this is secure enough because it is industry standard; it is in all regards a simplified version of JWT.
This is still the wrong use-case for JWS though. There's literally no benefit of using signed messages from your server. It's cool and all, you learned a bunch implementing it, but that's it.