Hacked off ears
There was this man who was in a horrible accident, and was injured. But the only permanent damage he suffered was the amputation of both of his ears. As a result of this "unusual" handicap, he was very self-conscious about his having no ears.
Because of the accident, he received a large sum of money from the insurance company. It was always his dream to own his own business, so he decided with all this money he had, he now had the means to own a business. So he went out and purchased a small, but expanding computer firm. But he realized that he had no business knowledge at all, so he decided that he would have to hire someone to run the business.
He picked out three top candidates, and interviewed each of them.
The first interview went really well. He really liked this guy. His last question for this first candidate was "Do you notice anything unusual about me?" The guy said, "Now that you mention it, you have no ears." The man got really upset and threw the guy out.
The second interview went even better than the first. This candidate was much better than the first. Again, to conclude the interview, the man asked the same question again, "Do you notice anything unusual about me?"
The guy also noticed, "Yes, you have no ears." The man was really upset again, and threw this second candidate out.
Then he had the third interview. The third candidate was even better than the second, the best out of all of them. Almost certain that he wanted to hire this guy, the man once again asked, "Do you notice anything unusual about me?"
The guy replied "Yeah, I bet you are wearing contact lenses."
Surprised, the man then asked, "Wow! That's quite perceptive of you! How could you tell?"
The guy burst out laughing and said you can't wear glasses if you don't have any ears!
Hacking with the query string
As I said in my previous article, this is for education for the webmaster to make sure their web page does not fall victim to these attacks.
The query string is a great way for a developer to pass information from page to page. People pass information like page numbers, forum numbers, post numbers and much more in the query string. Now that is okay when the information is not important, but I have seen people pass important information for shopping carts in the query string. That developer was making a stupid move. It is so easy for a person to change the information in the address bar and there is no way for the web page to know that the information is different from one page to the next.
Now Hotmail had a flaw a few years ago where you would log into an account. You would copy the query string from the first account which told the server what message it was looking at. You then would log out of that account and log into a new account. You would view a message and then replace the query string with the one from the other account. You then would be able to read the message from the first email account. This has now been fixed, but shows you how the query string can be flawed.
No I am a developer, how do I avoid this? The simple solution is to avoid query strings and rely on server side scripting and form submissions. Have the page submit a form and have the values get passed that way. But if you read my first article, you can find holes in this method too. Also you better make sure that the form submission is coming from your page and not from another domain! That is another hack that I will talk about later on.
Now you can see why security is important in a webpage that relies on the browser. The web developer should rely on the server and not the client side. Read through my blog under the programming category to figure out how to avoid problems. It will make your website safer!
Eric Pascarello HTML/JavaScript moderator at JavaRanch.com