Alcatraz ~ the tourist website
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
Confirmation.asp?order=179000[^] Lost interest after this. :-)
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair. nils illegitimus carborundum me, me, me
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
:wtf: :omg: :~ :doh: :sigh: X| :(( :( Yikes!
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions. Dave Barry Read more at [BrainyQuote](http://www.brainyquote.com/quotes/topics topic_technology.html#yAfSEbrfumitrteO.99)[^]
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
:D That's gotta be the best laugh I've had all week. Since I was on a bender, thought I'd send this email to the company. Let their response time be a testament to how seriously they take security. :laugh: :laugh:
Gday Sir/Madam,
Have just read a forum post that lambastes your website for it's poor security. There are at least 2 problems with it as it stands
- You've used a HTTP GET to pass variables to this page (the order number is present in the URL)
- You've not authenticated the viewer as being the customer that placed the order.
For instance, I can enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=17900" and straight away see that Mary Cruz did attend the tour on 27 Sep 2005, leaving from Pier 33 at 11.15am
I can then enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=169000" and similarly I can see that Silvia Bollati is scheduled to attend a tour on the 25th August 2012 (13 days from now) Also departing pier 33, this time at 10am.
What if I or somebody else wanted to harm Silvia? Simple, run a program to harvest all the orders on your website, scan through them for the name of a purchaser of interest
It certainly doesn't take somebody that's particularly bright to understand that
(a) This is a massive security hole
(b) If somebody scheduled to attend the tour was located as a result of the service and subsequently murdered, your company would be held liable!!!Kind of ironic for a website that deals in tours to a decommissioned Prison, don't you think?
You can view the lambasting here: http://www.codeproject.com/Messages/4335687/Alcatraz-the-tourist-website.aspx
Cheers,
Simon.Make it work. Then do it better - Andrei Straut
-
Okay what's wrong with that? It uses HTTPS and that should be good enough for everybody. ;P
So were 512k some decades ago. :laugh: Also, look 2 threads below (incidentally, one that I've started). It mentions exactly this problem.
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
:D That's gotta be the best laugh I've had all week. Since I was on a bender, thought I'd send this email to the company. Let their response time be a testament to how seriously they take security. :laugh: :laugh:
Gday Sir/Madam,
Have just read a forum post that lambastes your website for it's poor security. There are at least 2 problems with it as it stands
- You've used a HTTP GET to pass variables to this page (the order number is present in the URL)
- You've not authenticated the viewer as being the customer that placed the order.
For instance, I can enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=17900" and straight away see that Mary Cruz did attend the tour on 27 Sep 2005, leaving from Pier 33 at 11.15am
I can then enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=169000" and similarly I can see that Silvia Bollati is scheduled to attend a tour on the 25th August 2012 (13 days from now) Also departing pier 33, this time at 10am.
What if I or somebody else wanted to harm Silvia? Simple, run a program to harvest all the orders on your website, scan through them for the name of a purchaser of interest
It certainly doesn't take somebody that's particularly bright to understand that
(a) This is a massive security hole
(b) If somebody scheduled to attend the tour was located as a result of the service and subsequently murdered, your company would be held liable!!!Kind of ironic for a website that deals in tours to a decommissioned Prison, don't you think?
You can view the lambasting here: http://www.codeproject.com/Messages/4335687/Alcatraz-the-tourist-website.aspx
Cheers,
Simon.Make it work. Then do it better - Andrei Straut
That was funny :laugh: Also, I've seen myself quoted in your sig (can't 5 twice), and although I'm flattered, you should know that it's not my invention, I've heard it on the interwebz somewhere :)
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
That was funny :laugh: Also, I've seen myself quoted in your sig (can't 5 twice), and although I'm flattered, you should know that it's not my invention, I've heard it on the interwebz somewhere :)
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
:-\ Hope their customers data isn't left out on display for all to see. Also hoped someone else may get a giggle. I'd be happy to attribute it to anon if you'd prefer. I've found your posts to be both intelligent and helpful - the quote is also a good maxim - just one I'd never been clever enough to condense. It's how things are often done - a good example is one that uses per-pixel manipulation. At first, it's a million times easier to just use SetPixel/GetPixel - with time after the algo is working one will often alter such ungainly access to something much harder to read and similarly quicker to execute. I saw the quote in a post of yours and just HAD to steal it - (unquoted, hence the attributation to you) :)
Make it work. Then do it better - Andrei Straut
-
:D That's gotta be the best laugh I've had all week. Since I was on a bender, thought I'd send this email to the company. Let their response time be a testament to how seriously they take security. :laugh: :laugh:
Gday Sir/Madam,
Have just read a forum post that lambastes your website for it's poor security. There are at least 2 problems with it as it stands
- You've used a HTTP GET to pass variables to this page (the order number is present in the URL)
- You've not authenticated the viewer as being the customer that placed the order.
For instance, I can enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=17900" and straight away see that Mary Cruz did attend the tour on 27 Sep 2005, leaving from Pier 33 at 11.15am
I can then enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=169000" and similarly I can see that Silvia Bollati is scheduled to attend a tour on the 25th August 2012 (13 days from now) Also departing pier 33, this time at 10am.
What if I or somebody else wanted to harm Silvia? Simple, run a program to harvest all the orders on your website, scan through them for the name of a purchaser of interest
It certainly doesn't take somebody that's particularly bright to understand that
(a) This is a massive security hole
(b) If somebody scheduled to attend the tour was located as a result of the service and subsequently murdered, your company would be held liable!!!Kind of ironic for a website that deals in tours to a decommissioned Prison, don't you think?
You can view the lambasting here: http://www.codeproject.com/Messages/4335687/Alcatraz-the-tourist-website.aspx
Cheers,
Simon.Make it work. Then do it better - Andrei Straut
Dear Sir/Madam, It has recently been brought to our attention that your IP address has been viewing orders placed by customers with different IP addresses. This is a federal crime and you will be prosecuted if you do not cease and desist. Sincerely, Alcatraz Tours Security Official
-
:-\ Hope their customers data isn't left out on display for all to see. Also hoped someone else may get a giggle. I'd be happy to attribute it to anon if you'd prefer. I've found your posts to be both intelligent and helpful - the quote is also a good maxim - just one I'd never been clever enough to condense. It's how things are often done - a good example is one that uses per-pixel manipulation. At first, it's a million times easier to just use SetPixel/GetPixel - with time after the algo is working one will often alter such ungainly access to something much harder to read and similarly quicker to execute. I saw the quote in a post of yours and just HAD to steal it - (unquoted, hence the attributation to you) :)
Make it work. Then do it better - Andrei Straut
Well, what can I say, thanks!
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
Dear Sir/Madam, It has recently been brought to our attention that your IP address has been viewing orders placed by customers with different IP addresses. This is a federal crime and you will be prosecuted if you do not cease and desist. Sincerely, Alcatraz Tours Security Official
Nice :thumbsup: I'll see your taunt and raise you another.. Dear Mr Agent, As with all police issued notices I receive reporting to be from the US, I will again take the time to remind you that I'm 12,650 kms away - that's 7,860 miles to the metrically challenged. You've obviously been told by fellow scammers colleagues that you'l get better response rates when you claim to be US law enforcement than you'd enjoy with the old "We are related, I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%" Think I'll file this with my IRS note, my LAPD issued traffic infringement and my New York issued demand to attend the courthouse. If only you realized I've never had a passpport, let alone left this country. Why don't you head back into the capital city, Abuja? I hear there are many opportunities for those willing to work for them.. :laugh:
Make it work. Then do it better - Andrei Straut
-
Nice :thumbsup: I'll see your taunt and raise you another.. Dear Mr Agent, As with all police issued notices I receive reporting to be from the US, I will again take the time to remind you that I'm 12,650 kms away - that's 7,860 miles to the metrically challenged. You've obviously been told by fellow scammers colleagues that you'l get better response rates when you claim to be US law enforcement than you'd enjoy with the old "We are related, I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%" Think I'll file this with my IRS note, my LAPD issued traffic infringement and my New York issued demand to attend the courthouse. If only you realized I've never had a passpport, let alone left this country. Why don't you head back into the capital city, Abuja? I hear there are many opportunities for those willing to work for them.. :laugh:
Make it work. Then do it better - Andrei Straut
enhzflep wrote:
I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%
There was a report not too long ago that studied why Nigerian scammers always say they are from Nigeria rather than some place not so famous for scamming. The reason was that if somebody is gullible enough to believe a scam that says it is from Nigaria, they are the most likely people to actually believe the scam. Essentially, being so obvious about their scam is their method to avoid talking to smart people, which would waste their time and cost them money. :-D And I just found it: http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
-
enhzflep wrote:
I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%
There was a report not too long ago that studied why Nigerian scammers always say they are from Nigeria rather than some place not so famous for scamming. The reason was that if somebody is gullible enough to believe a scam that says it is from Nigaria, they are the most likely people to actually believe the scam. Essentially, being so obvious about their scam is their method to avoid talking to smart people, which would waste their time and cost them money. :-D And I just found it: http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
And that my friend, is the most interesting piece of literature I've read all month. Have a +5 for the article link. Makes me wonder how much too little credit I've apportioned the writers of such emails. It makes perfect sense. Cheers, and thanks. :thumbsup:
Make it work. Then do it better - Andrei Straut
-
https://www.alcatraztrips.com/Confirmation.asp?order=8980[^] Not quite as secure as the prison itself. :omg:
Giraffes are not real.
Even worse. It is open to SQL injection attacks. A few days ago, someone asked in Q&A how a "UNION SELECT ALL null..." attack works, and someone pointed to Evil SQL[^]. Just tried a https://www.alcatraztrips.com/Confirmation.asp?order=179000%20having%201=1--[^] which results in
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'orders.OrderNumber' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/Confirmation.asp, line 13and some more bad injections... So easy to get the name of their db user etc. But: please do not destroy their web site, just have fun! It is such a great place to demonstrate the vulnerabilities of badly written code to our students here at CP.
-
Even worse. It is open to SQL injection attacks. A few days ago, someone asked in Q&A how a "UNION SELECT ALL null..." attack works, and someone pointed to Evil SQL[^]. Just tried a https://www.alcatraztrips.com/Confirmation.asp?order=179000%20having%201=1--[^] which results in
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'orders.OrderNumber' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/Confirmation.asp, line 13and some more bad injections... So easy to get the name of their db user etc. But: please do not destroy their web site, just have fun! It is such a great place to demonstrate the vulnerabilities of badly written code to our students here at CP.
:doh: :wtf: :omg: :~ :sigh: :((
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions. Dave Barry Read more at [BrainyQuote](http://www.brainyquote.com/quotes/topics topic_technology.html#yAfSEbrfumitrteO.99)[^]
