It is 2009 and still websites are launched completely vulnerable to SQL injection and CSRF. This worries me. It seems websites, even high-profile ones, are still being built by incompetent morons and hobbyists. Our case today: eerlijkebankwijzer.

First the good news. The site promotes a very useful service, in that they will compare your bank with a set of standard questions and give you your bank’s score on ethics, environment, investments in guns and ammunition, human rights and so on. A very cool service and if you’re Dutch I highly recommend you check to see your bank’s score.

The bad news though is this little gem:

An error has occuured: mysql error error: column count doesnt

match value count at row insert into mail_messages_queue

(from, message) values ('joost baaij', 'test')

As any competent web developer can see, they have programmed this website in such a manner that leaves them comptely vulnerable to SQL injection attacks. This kind of attack enables hackers to completely wipe out a website, read everyone’s personal details, modify all kinds of things and deface the website. SQL injection is particularly nasty since there are automated toolkits that do this for you–no skills required.

There’s more bad news, of course. They don’t protect agains cross-site request forgery at all. This leave the application open to abuse and spam by zombies and bots. It is really inexcusable. I am left wondering how on earth any competent web developer could leave those things out. I guess they will find out soon enough after their first attack though.

To leave y’all on a positive note: the site does validate as xhtml 1.0 transitional. Good job!