titaniumbunker.com

Evil geniuses and world domination are 2 of our goals... we also like Dr Who

Electoral Reform Services feedback form

no comment

I received a letter from my local council regarding the electoral register, and that I needed to refresh my information.  So I visited their website and entered the super secret codes from the letter to obtain access to my records.  I must say the process seemed straightforward enough – until I reached the feedback section.

Now I hadn’t noticed until the feedback form, but the querystring contained quite a lot of information. I had a quick play with the feedback form, and sent the following communication to the technical department at (I assume) Electoral reform services Ltd.  Here’s what I sent them – I’ve censored some of the data within this communication. For more information, the code1/code2 are the security codes from my letter.

I was just looking around the feedback form (I just completed my form on-line) – Have you guys seen how much data is sloshing around in the query string? Here’s the address of this page :

https://registerbyinternet.com/Home/Feedback?authorityId=xxx&
LanguageId=1&PropertyId=xxxxx&
Address=xx%20Xxxxxxx%20Xxxxxx%20%2CXxxxxxx%20Xxxxx%20%2CXxx%20xXX&
code1=ZZZZZZ&
code2=ZZZZZZZZ&
OnlineRespondentId=xxxxxx&
OnlineRespondentName=Michael%20Anthony%20Hingley&
ClientName=Xxxxxxxx%20Xxxxxxxxxxxx%20Xxxxxxx%20Xxxxxxx

https://registerbyinternet.com/Home/Feedback?authorityId=xxx&LanguageId=1&PropertyId=xxxxx&Address=xx%20Xxxxxxx%20Xxxxxx%20%2CXxxxxxx%20Xxxxx%20%2CXxx%20xXX&code1=ZZZZZZ&code2=ZZZZZZZZ&OnlineRespondentId=xxxxxx&OnlineRespondentName=Michael%20Anthony%20Hingley&ClientName=Xxxxxxxx%20Xxxxxxxxxxxx%20Xxxxxxx%20Xxxxxxx

What’s interesting is that this query string data is just slapped into the fields, meaning that if you change the URL, you can effectively send a feedback about a different authority, or person, or address or indeed anything. Why not store this stuff in session, where I can’t access it?

Potential implication : Spam messages sent to every council about every property from a fake name. Once feedback is sent feedback cannot be re sent – this would be a denial of service for all legitimate users.

Potential implication : XSS – These values are posted into the page into fields. It should be possible to strip out anything that looks like JS, and hopefully you’ve done that. I’m too scared to try it.

Cheers

Mike Hingley

It’s possible that this information was floating around all the time on my query string but I never saw it.

Comments are closed.



Categories

Archives

Tags