As it happens, thanks to the support of L’Express, it seems more & more citizens are now drawing attention to the flaws in the Government websites. Yes, I did mention website with an “s”. Nevertheless, let’s keep the attention to MNIC. In the previous article, Mauritius National ID Card website – Your privacy compromised, I highlighted the security flaw the webmaster(s) left when creating the feedback/complaint form using Google Docs.
It looks harmless. Hmm, have a closer look at following lines:
var url="http://www.mnic.mu/files/newsletter/capture.php"; url=url+"?txtemail="+email+"&lang=1"; xmlhttp.onreadystatechange=stateChanged; xmlhttp.open("GET",url,true); xmlhttp.send(null);
It leads directly to the database of those who subscribed to the MNIC newsletter. Looking at their overall code quality so far, I wonder how secure would capture.php be.
Now, let’s look at some HTML ghost tags. Still on the home page, view the source. Look out for the <head></head> tags. How many? (^^,)
As of now, I guess the website is a good project for students who wish learn about website flaws & vulnerabilities.
Before anything goes viral again, I need to clarify that no “hacking” is involved here. Viewing a webpage source was never an act of cyber-attack. For the curious minds, the following definitions portrays the term hacker in a better manner:
While going through the comments on the L’Express article I noticed a reader’s comment about the marquee element. I used that argument on the social networks as well but maybe it should find it’s place here. What’s a marquee? Go to the MNIC homepage, do you notice the Latest News bar where the text annoyingly scrolls from right to left. That’s called a marquee.
Hover your mouse over it, does it stop/pause? Nah. The “good” web developers know of this & rant about it often. The marquee element is a non-standard element as per the World Wide Web Consortium. Read about it here and Wikipedia could help too.
As per Wikipedia the marquee was introduced in Microsoft’s Internet Explorer. Other browsers like Firefox, Opera, Chrome and Safari support it just to maintain compatibility with legacy webpages.
Should you be wondering what’s that stuff with code quality, you might have a quick read: The only valid measurement of code quality : WTFs/minute