Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The site doesn't seem to be thrown together very well, you can dump the entire DB by searching for a space character [0] (assuming every officer should have a space in their full name). It dumps as a nice JSON format with all the details.

All the headshots can easily be extracted by appending "https://watchthewatchers.net/headshots/" to the values from the "imagePath" value in the JSON dump.

[0] https://watchthewatchers.net/api/search/%20



Code quality and potential security issues aside, I don't think the creators would mind any member of the public having a full copy.


> you can dump the entire DB by searching for a space character

I abused this trick to perform local fuzzy searches for usernames, results would update with no delay on every keypress, the competing devs were so blown away and couldn't tell how I did it lol.

Best exploit ever. It wouldn't have scaled but it was still so funny to see everyone else's reactions.


In my experience the vast majority of the time exploits are found over Ajax APIs. Developers just forget that sanitization client side isn't secure. It's a good party trick for sure.


The funny thing is that you actually didn't do it by searching for an actual space—you would search for an underscore, and they would convert it to a space after checking if the input is empty, but before trimming, so...


Here's a preview of clicking the API link:

https://i.imgur.com/nbhL64L.png

It took a while to load for me, so I'm posting this to spare the site from the HN hug of death, even if just a little bit.


I saved it, just incase it gets removed.


> you can dump the entire DB by searching for a space character

You'll probably miss some names like McLovin.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: