Comments on: A Lesson in Web Application Security Part 1

By: A Lesson in Web Application Security Part 2 « TheWheat Field

A Lesson in Web Application Security Part 2 « TheWheat Field — Wed, 25 Mar 2009 17:01:26 +0000

[...] , Security , Technology Tags: a level, as, Brunei, exploit, o level, results, sms **Read Part 1 to get the full picture of [...]

By: NTT

NTT — Fri, 30 Jan 2009 11:02:50 +0000

So you’re saying the issue is that anyone can access the results of any candidate as long as they know the Candidate Code?? But that’s gonna be hard no??

But one can use this just to do a DOS attack on the telecom company, or an individual.. Just write a script to “attach” a cellphone no. on ALL results.. Hehehehe.. Ooops.. Am I not supposed to say that??

By: TheWheat

TheWheat — Fri, 30 Jan 2009 04:33:46 +0000

It’s not meant to be seen… yet as I don’t want it to be exploited. Though, you are always free to investigate on your own. Trying to do responsible disclosure.

By: LSM

LSM — Fri, 30 Jan 2009 04:20:38 +0000

So then what is the issue? I’m not seeing it.

By: TheWheat

TheWheat — Fri, 30 Jan 2009 03:01:25 +0000

Ok it’s fixed. ScribeFire issue not working well with WordPress. Well the actual names and results are changed to protect the identity and results of the person whose results I did get

By: LSM

LSM — Fri, 30 Jan 2009 02:49:09 +0000

I think you need to reflow Steps 4 and 5. They’re hidden cos they’re too long. You can copy & paste the text into notepad but that’s a pain.

If you mean the design flaw is defaulting everything to A’s I can imagine a lot of people called CANDIDATE NAME will be celebrating prematurely.