Have you checked your web apps lately to see what they're dumping in the Temporary Internet Files (speaking specifically of IE, but Netscape or other browsers do the same)? I did last week and found that the SSN of all employees that I ran a query about, as well as their IDs, was in several temp files on my hard drive.

None of this information was displayed in the application! Later I will propose why I think this happens. But first, here's a suggested way to check what's leaking out of your applications:

1) Empty your browser cache and all temp files. This makes it easier to find the interesting temp files later without having to wade through a quagmire of files from weeks and weeks of browsing.

2) Open the web application and do some queries on yourself, if possible (it will be easier to identify your own SSN, employee ID, address, credit card #, and other personal info about yourself--once you know where in the temp file to look, you can then look up the same info for others).

For example, do a search for your name or select your name from a drop down list, especially of a back-end database is used to populate other fields. The latest app I found this problem in was a help desk trouble ticket application. You clicked on the user name and it automatically queried the Human Resources database to populate the office location, phone number, etc., in the help ticket.

3) Note in the URL which server the application is being served from (you'll need this in the next step). For example, http://server2/webapp/main.html

4) Leave the web app open and open a new browser window. Some applications do another query back to the database when you open a temp file, believe it or not, so you need to leave the original browser window open.

5) Open the browser temp files and sort them by URL (called Internet Address in IE). Scroll down to the first URL that begins with the server name.

6) Look in the NAME column to the left and look for filenames containing words such as xml, retrieve, popup, and any filenames ending in asp (active server pages). Some files will have all of these keywords and others only one or two. XML documents pay the biggest dividends (and the goverment can't tax those dividends!).

For example, PopupRetrieveXML.asp ...

7) Open the temp files of interest (you can open all to be sure)--I usually open each one in a new window so that I don't break the web application link. Look for key info.

8) If you find anything, print it out and take it to your manager. And watch the eyeballs pop out!

Now, why does this happen? You can't see the data in the web application but it gets dumped to your temp files? My best guess...

The web app needs to get the data from a database, and along the way a programmer (either the web app programmer or the person that wrote the interface between the app and the database, and who knows, probably both) took the quick and dirty was of retrieving the information that was needed: go and grab all the info on person XYZ out of the database and yet only post to the application the specific fields that are needed.

In other words, if a database record about you contains fields such as your name, address, phone number, SSN, employee ID, salary rate (yikes!), department, and email address, it's easier and faster to code the interface to retrieve the entire record, EVEN THOUGH only the fields containing your name, address, phone number, and department are used in the application (in the help desk ticket example, which I mentioned earlier).

So we need to teach our programmers (call 'em developers if you want) to code for only what is required. But then the managers have to understand that it takes more time to code for each individual FIELD in a record rather than reading the entire record. But that requires managers to understand the need for security during coding. Either way, it's a BIG culture change. Coding fast and cheap to get the baby birthed and out the door is the name of the game.

That's why I favor showing upper management the data about THEM that they don't want you to know. That usually gets some action. Good luck!

IE HISTORY
"IE history is a tool you can use to process the data files associated with Web browsers.IE History can be obtained by e-mailing the author,Scott Ponder,at support@phillipsponder.com IE history's purpose is to parse the binary history files for the analyst so that you can analyze each web visit.Without using a tool such as this,tracking web broswer usage would be much more difficult beacuse the contents cannot be fully read by a general purpose file viewer."

Just something i was reading about you might want to check out.

That product looks interesting, but I don't want to shell out $50 for it.

Has anyone else used this?

p.s. The above post was my first to this site, I believe.....what memories.

Did anyone ever check out their temp files? What did you find? Are your apps at work leaking?

Or is this too lame for some of you?

All of our programs are proprietary, legacy apps that run in a POS (not point of sale) console that essentially cause them to run like dummy terminals connected to the HP/UX mainframe. Web-based applications are the norm now, but they will never have the security of a nice closed-source, proprietary console app.

PS How the hell did u come across this post after 2 years?

I looked back to see what my first post was when I hit 1100 or so posts. I'd forgotten about this one. And since it garnered few replies, my ego kicked in and I thought that I would try to get it started again.

I just tried it with one of my companies web apps. that we use for creating accounts. It's also connected to HR information.

I did not find anything of interest. The only files I found were .gif, .js, .css and some web page stuff.

I'll try this with some other apps. and let you guys know what I find.

BN, I'm glad you brought this post back.

Anything to keep my post count up....

Seriously, this particular app was purchased. I still haven't figured out whether it's the app or the interface (I suspect the interface we wrote did it). It's positioned for an upgrade, so we'll see if it changes....