Failure Friday: Worr.com

Warning: Complicated computer speak following

I guess Worr released a new site. Don’t remember their old one, but I’ll just follow along and say it’s new. I hope for their sake that it is brand new.

They dislike proof reading as much as I do, though the Synergy is totally “Lorem ipsum” like. (they now have at least fixed it)

worr-1-custom.png

Though they really need to bone up on their coding practices. We can get a nice little XSS on their form pages, like here, here, or here. Just enter something like:
"/><script>alert("I did it for the lulz")</script>
And you get this:
worr-2-custom.png
Way to sanitize your input there guys. Here’s a hint, convert ",<,> to their HTML equivalents. Another hint, jsut ask me and I’ll tell you exactly what to do.

So we can break their site and maybe cause some of their users some trouble, but what if we want to do more.

According to their headers, they’re running Windows using IIS as their httpd and running both ASP.NET and a very out of date PHP (over 2 years old).

But, wait, what are they really running? According to this error, PHP. At least with ASP, you have some slight non-valid input protection.

So they’re running of Windows and ASP.NET really just seems pointless. According to nmap, only port 80 is open, so they don’t have a mail server or anything of that nature (that’s at least accepts connections) running. Why not a LAMP server? I’m sure it would be cheaper and better, but whatever.

I think I’ve found enough fail to call it a failure. Plus this is boring me.