![]() The Snow Day Calculator also offers text message notifications to notify users of their snow day chance further in advance. The Snow Day Calculator continues to get yearly press from both National and local news sources that routinely reference The Snow Day Calculator predictions in their articles about upcoming snow storms. Several news outlets wrote about the Snow Day Calculator that year as well, including The New York Times, The Wall Street Journal, TIME, the Huffington Post, Boston NPR (WBUR), FOX, etc. ![]() In 2011, Snow Day Calculator released iOS and Android Apps allowing users to check their predictions on the go. As the Snow Day Calculator learns more about each school and region from users reporting what actually happened, the predictions get more and more accurate. The Snow Day Calculator consistently receives high praise from users who trust the science behind the predictions. Predictions are wickedly accurate (100% accurate in many locations) and are trusted by millions of users all across the country. Snow day predictions use the timing and strength of a snowstorm, wind, temperature, ice forecasts, and historical information about a user’s location and school. Users happily refresh their predictions multiple times a day (sometimes several times an hour) to get the latest prediction using the latest weather information. Today, over 5 million people (representing 100M+ yearly hits) come to the tool every year to get wickedly accurate info about if their school will be closed due to the coming weather. The number of unique users quickly climbed that year as everyone was eager to check for predictions in their area from The Snow Day Calculator. In 2010, Snow Day Calculator launched automatic data retrieval from the National Weather Service making The Snow Day Calculator able to automatically predict for any US zip code. This was a unique service where users could enter weather information (that they had to look up) and The Snow Day Calculator would output the likelihood of a snow day the next day. PHP is a very special language with some very special behavior that allows this.The Snow Day Calculator was started as a middle school side project in 2007 to predict the chance of school closings. Mathematical formula, so why doesn’t the program crash when we put a string in Presumably, the Snow Day Calculator runs the number of snow days through some Pro tip: the filter seems to block all single quotes, so use double quotes! Why does this work? We can bypass it by attaching an event handler to, say, an a tag: (%22surprise!%22)%3E%20hover%20over%20this,%20buddy%3C/a%3E&extra=0 While filtering suspicious activity is a good component in practicing defense inĭepth, it should not be your only security measure! Oops! Looks like they have some filtering in place to prevent XSS. We injected a big bold test in the middle of our page! This is very However, we can add arbitrary code to to the end of the number, like this: ![]() I’m notĬonvinced that the zipcode parameter is safe, but it’s too much effort to try toīreak it while I still have other options! Injecting the snowdays parameterĭirectly replacing the number supplied in the snowdays parameter doesn’t work. ![]() This extra processing will foil a simple reflected XSS attack. Normalization to look up zipcodes from its database and the National Weather No luck! The zip code probably passes through some postprocessing and I’ll first try injecting some HTML into the zip code parameter. URL like the zipcode and the number of snow days. There are a lot! It looks like the page displays parts directly derived from the So we can probably give him some leeway here :) The Bugįirst, see if you can spot some likely candidates for a reflected XSS attack: Type of school, and the number of snow days this year. Popular web app for predicting the chance of a snow day, based on zip code, Owner through the site’s contact form and on Twitter, and have yet to Note: This vulnerability is currently unfixed. Tl dr: PHP’s type coercion and unescaped use of the page’s snowdays parameter allows injecting arbitrary HTML and Javascript via a reflected XSS attack.
0 Comments
Leave a Reply. |