So recently I was entering some codes online to see if I won something. In the address string at the top of the page I noticed it said winner=false in the string. I switched that to say winner=true and refreshed the page. My loosing code was suddenly a winning code. Not really fancy and not really cross site scripting, but definitely bad coding…