Today we start a new category of article called How Not to Build a Web Application.
This sort of ridicule may seem petty, but in the interest of Full Disclosure, I think it is justified. And of course: Critisicing is easier than doing 🙂 .
In this first installment we take a look at a simple security hole in willitblend.com based around URL parameters.
Will it blend? is a textbook example of Viral Marketing done well. From a Marketing point of view, it is executed flawlessly: the content, the format, the presenter, the music, the shameless self-promotion… all perfect! Unfortunately the technical implementation of the site leaves a little more to be desired.
willitblend.com has two categories of video, Don’t Try This @ Home and Try This @ Home. The former category comes with a large warning notice to ensure that small children don’t attempt these dangerous blending experiments at home. Videos in the latter category come with an equally eye-cathing message encouraging all and sundry to attempt what is portrayed in the video in the comfort of their own kitchen. (I may be paraphrasing)
We will examine my favourite Will it blend? video which features blending glass marbles into deadly powdered glass vapour, fantastic!!
Lets take a look at the URL and resulting page:
The first thing you’ll notice is
video=rake. Okay, so they jumbled up their links, the rake URL points to the marbles video, and the marbles URL points to the rake video. That’s okay, everybody makes mistakes.
The second thing you’ll notice is that the URL includes the parameter
At this point you are probably wondering: they wouldn’t rely on URL parameters to display the warning message, would they?
Try the following URL:
By removing the
type URL parameter, the warning dissapears.
Following this through to its illogical conclusion, when the
type parameter is replaced with
safe, we get the message encouraging home participation above the highly dangerous video.
The moral of the story is, when creating websites or web applications you can avoid basic security holes (and blender-related injury) if you: Use URLs appropriately.
To exaggerate further:
- Incorrect use of URL
- Correct use of URL
And before I go, remember Kiddes: Try this at home! 😉