meanwhile I was quite hardworking on finding security flaws.
Some flaws were more worrying than others.
Lets start with just a little security flaw. I found a really strange site on a German bank.
The site itself had a quite normal appearance, but I was a bit confused due to their POST variable.
I took a complete correct guess that it is a strange POST variable and this variable was vulnerable.
The programmer did not care about a different variable type.
The variable was supposed to be an integer, but I just injected a non-integer value and was able to see a defaced bank site (with plain PHP source code on it) after a delay round about one minute.
What did they do I asked myself, but okay… I did not investigate this further.
I just wanted to talk with a bank consultant or something like this, but it is actually harder to grab a bank consultant than to ‘deface’ their website with some nice PHP class error messages.
Thats security business nowadays… If nothing happens, everything is fine and one just has to take care about after anything serious happened…