Ok, so, a little while ago I was looking over a website my friend works at. She's a Junior Developer and so clearly thinks I am magic and can hack anything. Of course I wanted her to think that, so I started poking around on the site she works on.
After a few failed, very obvious opening moves, (nmap seemed to show lots of open ports, but it was just a cluster) I noticed something odd. There were a bunch of requests -- a huge volume actually, with a particular signiture, let's call it 'cp5' to keep this anonymous. This struck me as odd so I looked through the network requests to see what was being sent. I noticed something even odder.
Nothing about the request seemed to include any proper validation information. It was clearly a big data collector that wanted to report everything I was doing on the website back to the owner. So I did what any normal person would do and crafted a packet telling it that I'd done something I hadn't.
Well then! Surely, I thought, if I send it thousands upon thousands of packets, all telling it I did things I didn't really do it would reject these as false.
It accepts them and tells me everything is fine. There is nothing in the code-base that filters requests after that, unless they are badly crafted, which my fake data was not -- it was crafted to look like something it wasn't.
So I can tell a multi-million pound florist that vastly more people are navigating their website who aren't (not that I would; my data would have seemed like a blip, nothing more, and done no real damage to their business) and it just accepts my word as gospel.
So that's how I hacked big data with just Postman and Chrome. I'm not going to tell you all the details of which program it is, or how the owners of that program tell me it can't be fixed, even though they charge around $2000 a month for it, because then everyone would do what I did.
But... what is the thing you use to clear snow away?
Hhhhmmmm. I've said too much.