How I Hacked DePauw University Using Hidden Inputs
Thomas Ring

Scary stuff, for the school. I agree w/ other commenters that maybe you crossed the line a bit legally. But, I think your intentions were good — and that matters (at least to me). It’s frustrating when you know how to do something, have a serious and good intention in place, and actually want to help fix a situation, and then the target of all that doesn’t get off their butt & fix it.

That all said, I’ve been doing web consulting / programming for a long, long time now & the state of affairs for form-based security is just awful, on the whole. I see so many sites where things like proper validation & CSRF protection are no where to be found. It’s amazing to me that someone can get good enough at coding to actually code up a working form that interacts w/ a database, yet not implement best practices for preventing SQL injection. Yet, it’s so common. Frustrating!

Nice piece — interesting read. :-)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.