Fun at “automatiseringsgids”

Even companies pretending to know about ICT, writing about companies doing it right or wrong, get it (very) wrong sometimes. People who have an account at De Automatiseringsgids know the login screen. But have they also noticed how their username and password are sent to the server in plain text?

Another funny thing a colleque of mine discovered is the really wierd way of displaying error messages. The server returns the error message as part of a redirect. Yes, you’ve read that correctly. No serverside things here guys, must keep memory usage down. No sessions here, move along… A really funny thing you can do is display your own error messages, like so: De automatiseringsgids with weird error

Wie dit leest is gekI think somebody will start playing with this, because you can do a lot more (very bad) things. Should they have it fixed allready when you are reading this, I saved a screenshot for you. You would have got something in the lines of this:

After discussing this wierd construction, we concluded that the programmers wanted to do a “post-by-redirect” construction, where you make the server return a redirect to the browser jsut after a post. This solves the “reload problem” where the browser asks if it can re-post the data for you. Since a redirect is a GET, the browser will just reload the page. Normally you solve this by storing thing in the session on the server and send a session reference to the browser. Combined with HTTPS, this would give you a relatively strong, and still not to expensive protection against scripting and spoofing attacks.

A fine example of what happens if you trust an external company to build your web application, but you “forget” to check that they’ve delivered something that’s up to your standards (or at least the standards you paid for). Have fun playing around with this, and let me know what interesting things you found. (hint: Iframes and javascript can do a lot on this page 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s