Violating the Rules of Web Development

Question

Check out this page from the New York Times:

http://homedelivery.nytimes.com/HDS/learnMorePopUp.do ?mode=common.learnMorePopUp
&productId=NDS
&prodRate=7.40

I was surprised to see that when I manually modified the prodRate parameter, the page updated:

• The introductory subscription rate.
• The regular subscription rate.

Try it for yourself! Now, I haven't done much web development, but I know this probably shouldn't happen. So I'm wondering:

• What kind of implementation would cause this behaviour?
• How would you modify the page to hide such sensitive parameters from the end user?

Answer 1

You might want to rephrase your question, as the only answers I can conceive aren't too illuminating:

Q: What kind of implementation would cause this behaviour?
A: One in which user input is allowed to control internal, trusted behavior. If you're asking for "why would someone do this", I've usually seen it as a misunderstanding. The code author generally doesn't realize that the user can (a) control the value and/or (b) even discover it exists. Most often, I've seen this implemented as a redirect - you click a button, the server determines the amount then redirects the browser to a new page that maintains the value

Q: How would you modify the page to hide such sensitive parameters from the end user?
A: Don't store the value in a manner by which it is editable by the end user. If you have storage available on the server (like a Servlet engine) store it in the session context. If you don't have a good session mechanism, you could store it in a signed or HMAC'd cookie.

Answer 2

I've found all kinds of bad practise like this. I've seen websites pass entire SQL queries around in the Querystring, which are then executed. I also remember finding an online shop that passed prices in querystring. I changed one to a negative value and, sure enough, at checkout the price was minus! I didn't go any further though - technically it is fraud and not worth risking.

Answer 3

You can't order from that page, so I'm not seeing a security hole here. Yeah, it is cheesy, but I would be far more concerned if the actual order flow was so poorly constructed. It does make it easy to update the rate in one place and just pass the value, so I can see how it happened.

We have some rating pages that do pretty much the same thing. They aren't connected to the actual purchase flow so parameters are fine. If the client wants to confuse themselves by editing a URL, so be it... the actual order flow is all database driven and user edits are never trusted.

Answer 4

Well, have you actually tried to order it yet? It might validate the input on the back end.

As to other options, they could have considered either posting the information or putting the information in a cookie. Neither are exactly fool proof. You can't get a new window with a post and a user can turn cookies off.

Answer 5

They're probably just reading the value right off the querystring for display purposes. I highly doubt (or rather, would really hope) that any actual order processing is not based off that value, and rather from a lookup using the product Id.