Always on time

A couple of days ago, an officemate initiated a jabber chat with me.  He told me that he found a problem on our online time sheet while he was tinkering with the firebug plugin.  Turns out there’s a hidden field for the login time that one can tamper with, and again no server-side validation for it.  Using firebug, one can update the value for the hidden field, and then use the form to submit.  The problem’s been escalated.  I wonder if they’ll fix it though… or simply dismiss it on account of “the users won’t do that.” 😛

Advertisements

Web developer firefox plugin

A few days back, an officemate shared some firefox plugins which were shared to him by yet another officemate. This then reminded me of one of the plugins I’ve stumbled upon before. It’s called Web Developer. The build I have on my work pc is about a year old though, and I haven’t gotten around to check for updates especially since we have no internet connection at work. Anyway, it’s a toolbar swamped with a lot of functions to tinker with.

screenshot040

Just a few of these functions on the top of my head:

  • easily enable/disable java, javascript; clear your cache without having to go thru Firefox’s Tools -> Options dialog
  • resize your browser to preset dimensions e.g., 800×600, 1024×786
  • display some lines to help you check alignment of screen objects
  • view element information; you can select an item from the screen and view its properties
  • display tab indexes, alt messages of images, etc.

It also allows you to play around with forms.  Take, for instance, the following example.  I’ve added before and after images to help illustrate.

Before and after shots - using our online timesheet

Before and after shots - using our online time sheet as an example

Basically in this example, with web developer, I was able to do several items with the form. 

  1. Display the values in the password field.
  2. Enable a previously disabled item.  In this case, it’s the login button.  This led me to find out that the system will let you time-in again even if you’re already logged in.  This explains why my logged time-in for a certain date was past 8PM.
  3. Make a read-only field write-able.  I tried editing the Log-out Time field to include parts which aren’t time components.  On save, nothing bad seemed to have happened. 😛
  4. Convert select elements or combo boxes to text input fields.  This allows you to enter values other than what’s available from the combo box.
  5. Remove the maxlength properties that restrict the number of characters that can be entered into the edit boxes.  Normally, you can only specify a 4-digit year value and select a valid month before clicking <view monthly attendance>.  But with (4) and (5), I was able to specify a numeric value with more than 4 digits for the year and an invalid month value.  On click of <view monthly attendance>, there was no server-side validation so no error was raised.