Today we start a new category of article called How Not to Build a Web Application.
This sort of ridicule may seem petty, but in the interest of Full Disclosure, I think it is justified. And of course: Critisicing is easier than doing 🙂 .
In this first installment we take a look at a simple security hole in willitblend.com based around URL parameters.
Preface
Will it blend? is a textbook example of Viral Marketing done well. From a Marketing point of view, it is executed flawlessly: the content, the format, the presenter, the music, the shameless self-promotion… all perfect! Unfortunately the technical implementation of the site leaves a little more to be desired.
willitblend.com has two categories of video, Don’t Try This @ Home and Try This @ Home. The former category comes with a large warning notice to ensure that small children don’t attempt these dangerous blending experiments at home. Videos in the latter category come with an equally eye-cathing message encouraging all and sundry to attempt what is portrayed in the video in the comfort of their own kitchen. (I may be paraphrasing)
Unsafe
We will examine my favourite Will it blend? video which features blending glass marbles into deadly powdered glass vapour, fantastic!!
Lets take a look at the URL and resulting page:
The first thing you’ll notice is video=rake
. Okay, so they jumbled up their links, the rake URL points to the marbles video, and the marbles URL points to the rake video. That’s okay, everybody makes mistakes.
The second thing you’ll notice is that the URL includes the parameter type=unsafe
.
At this point you are probably wondering: they wouldn’t rely on URL parameters to display the warning message, would they?
No comment
Try the following URL:
By removing the type
URL parameter, the warning dissapears.
Safe
Following this through to its illogical conclusion, when the type
parameter is replaced with safe
, we get the message encouraging home participation above the highly dangerous video.
Conclusion
The moral of the story is, when creating websites or web applications you can avoid basic security holes (and blender-related injury) if you: Use URLs appropriately.
To exaggerate further:
- Incorrect use of URL
- http://example.com/index.aspx?page=105&type=7&banner=yes&3columns=no&heading=My+Website+Rules
- Correct use of URL
- http://example.com/my-awesome-article/
And before I go, remember Kiddes: Try this at home! 😉