Outsourcing the British High Commission, part 2
As an update to yesterdays post I thought I should share some big worries I have with this online application system for requesting UK visas for Nigerians.
As I was going through the process of entering the details on the form I used an apostrophe / single inverted comma (') in one of the fields, and got back an error message that rings 100dB Alarm Sirens in my head as a web developer with some experience.
The error message indicates that there is no validation done on user input to the system! This means a suitably skilled web developer, wearing their black crackers hat, could use this 'feature' to put code of their own into the script! I haven't done any further tests but trust me that this is an amateurs mistake.
I am using Mozilla Firefox to access the site and I can see that there is JavaScript code on the page to prevent the user entering ' on the form as well as some other characters, but because of bugs in the JavaScript code this does not work with Mozilla Firefox (at least the version I'm using, 1.5.0.7 on Debian GNU/Linux). This isn't the argument though as the server application should never rely on the client sending valid information. This is rule number one of web security! Accessing the site in Internet Explorer prevents you from entering ' at the keyboard.
My fictional friend William De'Ath Could be a useful person to test this out with.
Further details easily obtainable from the site show what scripting language to use and what operating system is running it.
I am thinking about who to contact to investigate this.
The JavaScript side works on Firefox for the UK based online application service, I haven't tried to circumvent this to see if that is susceptible too.
Labels: Lagos, Nigeria, UK Visa, wahala, Web Security
posted by Aaron Rowe @ 4:17 PM
3 comments
