Surfing to the contact page on their site, we found out that we couldn't enter our European mobile phonenumber in the required (!) telephone number field.
Unable to find the direct email address of the hotel, I opened the developer tools and had a look at the validation script.

Instead of even trying to understand the regular expression, I just redefined the validation function using the console and retried sending the message.

Not so suprisingly, judging by the cheesiness of the hotel's website, our message was sent successfully.
According to the OWASP, the number one security risk for web applications in 2010 is failing to validate untrusted data.
Seriously, take data validation seriously. Don't make a fool out of yourself.
No comments:
Post a Comment