Malaysia Election 2008

As Election just around the corner, suddenly I feel need to check my status. So i jump into here and keyin my details. Luckily, system generating this:-

At last!! I could select who should I pick.. hmm suddenly I would like to see how lousy their programmer is. It doesn’t take me long as I’ve found HUGE FLAW on their website. As this being used as cross reference Malaysia wide, it’s good to have this application SECURE!!

As I’m getting money by telling people how bad is their website, so here some documentation (can’t reveal all due to security reason!)

1) Form validation – do not use JAVASCRIPT!!
This the main error many web developer neglect.

function submitted(){ stripSpaces(); function stripSpaces() { var x = document.def.txtIC.value; document.def.txtIC.value = (x.replace(/^\W+/,\’\')).replace(/\W+$/,\’\'); }

if (document.def.txtIC.value == “”) { alert(“Sila masukkan No. kad pengenalan anda”);} else {

document.def.txtSub.value=”Submitted”; document.def.submit(); document.def.CETAK.enabled();} }

function count(CntValue){ document.def.txtSerial.value=CntValue ; }

Obviously revealing parameter involve. Instead, they should create inner ASP form evaluate to avoid people seeing what paramater involve. From here one with minimum web skills know already where to tweak.

2) No input inner ASP validation
As they are putting obvious Javascript validation, we could test well known SQL penetration test. I won’t reveal process here unless they have fix this “unskilled”error. To conclude, here the output.

Microsoft OLE DB Provider for SQL Server error ’80040e14′
Incorrect syntax near the keyword ‘******’.
/daftar.asp, line 60

From here we could test SQL penetration.

TO CONCLUDE: THIS WEBSITE IS NOT SECURE AT ALL!! PLEASE REDO YOUR WORK LAZY WEBMASTER!!