Life in Lagos, Nigeria: Aaron Rowe: Outsourcing the British High Commission, part 2

A diary and musings from an Expatriate in Lagos

: Name: Aaron Rowe; Location: Lagos, Lagos, Nigeria

I have worked in Nigeria for more than six years, but since 2007 have been based back at home in the UK. I am studying at Open University and enjoying the challenge of balancing work, studying and play. I will surely return to Nigeria, if not for work, as one of the few tourists.

View my complete profile

www.flickr.com

This is a Flickr badge showing public photos from ajbrowe tagged with nigeria. Make your own badge here.

Monday, November 06, 2006

Outsourcing the British High Commission, part 2

As an update to yesterdays post I thought I should share some big worries I have with this online application system for requesting UK visas for Nigerians.

As I was going through the process of entering the details on the form I used an apostrophe / single inverted comma (') in one of the fields, and got back an error message that rings 100dB Alarm Sirens in my head as a web developer with some experience.

The error message indicates that there is no validation done on user input to the system! This means a suitably skilled web developer, wearing their black crackers hat, could use this 'feature' to put code of their own into the script! I haven't done any further tests but trust me that this is an amateurs mistake.

I am using Mozilla Firefox to access the site and I can see that there is JavaScript code on the page to prevent the user entering ' on the form as well as some other characters, but because of bugs in the JavaScript code this does not work with Mozilla Firefox (at least the version I'm using, 1.5.0.7 on Debian GNU/Linux). This isn't the argument though as the server application should never rely on the client sending valid information. This is rule number one of web security! Accessing the site in Internet Explorer prevents you from entering ' at the keyboard.

My fictional friend William De'Ath Could be a useful person to test this out with.

Further details easily obtainable from the site show what scripting language to use and what operating system is running it.

I am thinking about who to contact to investigate this.

The JavaScript side works on Firefox for the UK based online application service, I haven't tried to circumvent this to see if that is susceptible too.

Labels: Lagos, Nigeria, UK Visa, wahala, Web Security

3 Comments:

surp2x said...: Hi Aaron. Funny since i came across the same error on a site that i am trying to access. Its a site here in the Philippines for a TelCo like Glo in Nigeria. I am yet to understand HTML but the screenshot you had looks the same with what i saw with the details below -

Server Error in '/myglobe' Application.
--------------------------------------------------------------------------------

Object reference not set to an instance of an object.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[NullReferenceException: Object reference not set to an instance of an object.]
myGlobe.mainlogin.btnGoLogin_Click(Object sender, ImageClickEventArgs e) in c:\inetpub\wwwroot\myGlobeNew\mainlogin.aspx.cs:294
System.Web.UI.WebControls.ImageButton.OnClick(ImageClickEventArgs e) +109
System.Web.UI.WebControls.ImageButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +69
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1292

--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET Version:1.1.4322.2032

***

By the way, i tried sending you some few emails months/weeks before...i guess they were a bit incoherent...more of bubble thoughts.

i was thinking you might be mistaking me as a phony or some scam... you may check out my blog whihc i recently just started.

More power to you and hope to meet you in Lagos soon.

Warmest regards,

Surp2x; 06-Nov-2006 18:15:00
Anonymous said...: Hi
Goodness the mind boggles. However, I do hope your findings doesnt result in the sute being shut down. It would be mayhem with the Xmas rush coming up.; 07-Nov-2006 16:13:00
Anonymous said...: Hi

I do hope your findings dont result in the site being shut down. As they've got the mad Xmas rush for visas coming up.; 07-Nov-2006 16:15:00

Life in Lagos, Nigeria: Aaron Rowe

About Me

Previous Posts

Monday, November 06, 2006

Outsourcing the British High Commission, part 2

3 Comments: