Just give me the report!

A quick blog post to show the silliness behind hidden fields. 

The Goods

So I saw that the Ponemon Institute just released a new report on SQL Injection. It is called “The SQL Injection Threat Study” and it was performed in conjunction with DB Networks. I’m currently doing some research on SQL injection and thought that this recent study would provide some relevant and interesting content.

The Website

Being the person I am, I DDG’d it (DuckDuckGo.com is a terrific search engine…give it a try if you haven’t) and followed the first search result to the DB Networks site:

I’m as privacy conscious as the next guy (OK, maybe a tad bit more) and was skeptical about providing all this personal data just to see the report. So, I looked at the source of the page:

The Win

Hmm. So according to this, when I submit all my personal information (because I want to read the report), the page will send it off to Salesforce.com (top red box). Well THAT can’t be good. But wait….in the bottom green box it states that the form has a hidden field to redirect my browser to a download page after submission. Hmm. That is where I wanted to go in the first place. So, I pasted it in my browser and saw:

There is my link to the document I wanted and I didn’t have to give away my personal information to get it. #win

The Bonus

And yes…for those web app people out there, you can arbitrarily redirect where your browser gets redirected to by changing the retURL parameter to your target site.

Comments are closed.

Up ↑

%d bloggers like this: