{"id":2035,"date":"2005-03-09T01:54:00","date_gmt":"2005-03-09T01:54:00","guid":{"rendered":"http:\/\/brianjnoggle.com\/blog\/?p=2035"},"modified":"2018-07-09T14:18:38","modified_gmt":"2018-07-09T19:18:38","slug":"2035","status":"publish","type":"post","link":"https:\/\/brianjnoggle.com\/blog\/2005\/03\/09\/2035\/","title":{"rendered":"Brian Likes the URL String"},"content":{"rendered":"<p>In my capacity in software QA working on Web applications, I know there&#8217;s no easier means of havoc than to mess with the URL string sent to the Web application.  Looks as though some &#8220;hackers&#8221; <a href=\"http:\/\/blogs.law.harvard.edu\/philg\/2005\/03\/08#a7726\" target=\"_new\">have discovered the same<\/a> with a university application, um, application:<\/p>\n<blockquote><p>The ApplyYourself code had a bug such that editing the URL in the &#8220;Address&#8221; or &#8220;Location&#8221; field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date.  This would be equivalent to a 7-year-old being offered a URL of the form http:\/\/philip.greenspun.com\/images\/20030817-utah-air-to-air\/ and editing it down to http:\/\/philip.greenspun.com\/images\/ to see what else of interest might be on the server.<\/p><\/blockquote>\n<p>But I bet the company saved a bundle of money by avoiding the whole quality assurance thing.<\/p>\n<p>(Link seen on <a href=\"http:\/\/www.outsidethebeltway.com\/archives\/9539\" target=\"_new\">Outside the Beltway<\/a>.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my capacity in software QA working on Web applications, I know there&#8217;s no easier means of havoc than to mess with the URL string sent to the Web application. Looks as though some &#8220;hackers&#8221; have discovered the same with a university application, um, application: The ApplyYourself code had a bug such that editing the [&hellip;]<\/p>\n","protected":false},"author":3334,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54],"tags":[],"class_list":["post-2035","post","type-post","status-publish","format-standard","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/posts\/2035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/users\/3334"}],"replies":[{"embeddable":true,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/comments?post=2035"}],"version-history":[{"count":1,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/posts\/2035\/revisions"}],"predecessor-version":[{"id":20466,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/posts\/2035\/revisions\/20466"}],"wp:attachment":[{"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/media?parent=2035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/categories?post=2035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/brianjnoggle.com\/blog\/wp-json\/wp\/v2\/tags?post=2035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}