Will it blend?

Posted on

23 December 2006

by Andrew Ramsden

Today we start a new category of article called How Not to Build a Web Application.

This sort of ridicule may seem petty, but in the interest of Full Disclosure, I think it is justified. And of course: Critisicing is easier than doing 🙂 .

In this first installment we take a look at a simple security hole in willitblend.com based around URL parameters.

Preface

Will it blend? is a textbook example of Viral Marketing done well. From a Marketing point of view, it is executed flawlessly: the content, the format, the presenter, the music, the shameless self-promotion… all perfect! Unfortunately the technical implementation of the site leaves a little more to be desired.

willitblend.com has two categories of video, Don’t Try This @ Home and Try This @ Home. The former category comes with a large warning notice to ensure that small children don’t attempt these dangerous blending experiments at home. Videos in the latter category come with an equally eye-cathing message encouraging all and sundry to attempt what is portrayed in the video in the comfort of their own kitchen. (I may be paraphrasing)

Unsafe

We will examine my favourite Will it blend? video which features blending glass marbles into deadly powdered glass vapour, fantastic!!

Lets take a look at the URL and resulting page:

http://www.willitblend.com/videos.aspx?type=unsafe&video=rake

The first thing you’ll notice is video=rake. Okay, so they jumbled up their links, the rake URL points to the marbles video, and the marbles URL points to the rake video. That’s okay, everybody makes mistakes.

The second thing you’ll notice is that the URL includes the parameter type=unsafe.

At this point you are probably wondering: they wouldn’t rely on URL parameters to display the warning message, would they?

No comment

Try the following URL:

http://www.willitblend.com/videos.aspx?video=rake

By removing the type URL parameter, the warning dissapears.

Safe

Following this through to its illogical conclusion, when the type parameter is replaced with safe, we get the message encouraging home participation above the highly dangerous video.

http://www.willitblend.com/videos.aspx?type=safe&video=rake

Conclusion

The moral of the story is, when creating websites or web applications you can avoid basic security holes (and blender-related injury) if you: Use URLs appropriately.

To exaggerate further:

Incorrect use of URL
http://example.com/index.aspx?page=105&type=7&banner=yes&3columns=no&heading=My+Website+Rules
Correct use of URL
http://example.com/my-awesome-article/

And before I go, remember Kiddes: Try this at home! 😉

Posted in

Leave a comment

Leave a reply