upvote

points

by mindcrime3 hours ago |
comments
upvoteby scarface_742 hours ago|
[-]
My responsibility is to make sure my code meets functional and non functional requirements. It’s to understand the *behavior*. My automated unit, integration, and load tests confirm that.

Someone thought I was naive when I said my vibe coded internal web admin site met the security requirements without looking at a line of code.

I knew that because the requirements were that anyone who had access to the site could do anything on the site and the site was secured with Amazon Cognito credentials and the Lambda that served it had a least privileged role attached.

If either of those invariants were broken, Claude has found a major AWS vulnerability.

reply
upvoteby Terr_2 hours ago|
parent|
next
[-]
As written, I do think that's naive. Being sure the person/browser is authorized doesn't mean that the signals you get are actions they intended.

Suppose that in normal use a user can visit a certain URL which triggers a dangerous effect. An attacker could trick the user into performing the action by presenting a link to them titled "click here for free stuff."

There are various ways to protect against that (e.g. CORS, not using GET methods) but backend cloud credential management does not give it to you for free.

reply
upvoteby scarface_7459 minutes ago|
parent|
[-]
And that same user is already trusted to have admin access to the entire organizational AWS credentials - I did say it was an internal management site.

The lambda itself only has limited permissions to the backend. The user can’t do anything if the lambda only has permission to one database and certain rights to those tables, one S3 bucket, etc.

Heck with Postgres on AWS you can even restrict a Cognito user to only have access to rows based on the logged in user.

And the database user it’s using only has the minimum access to just do certain permissions.

reply
upvoteby sgarland2 hours ago|
parent|
prev|
next
[-]
Did you mean to reply to someone else? This seems awfully defensive for a reply to parent’s comment.
reply
upvoteby losvedir1 hours ago|
parent|
prev|
[-]
It wouldn't prevent the admin page from exfiltrating data, though, right? Like, POSTing whatever data is loaded on the page to an arbitrary attacker controlled website.
reply
upvoteby scarface_7456 minutes ago|
parent|
[-]
That would require the logged in user to do something stupid. That’s like saying what’s to prevent the authorized user from emailing his credentials to a random person.
reply