Mechanical

How much do *you* want to pay?

There's a running joke at work about David Hasselhoff being hired as our spokesperson, right down to someone spoofing his email and sending out "hello" messages to employees. So today, someone made a reference to the thehoffshop.com, the place where you can buy "hofficial" t-shirts which read "Don't Hassle with the Hoff".

Me, thinking that $40 was a bit steep for a Hasslehoff t-shirt, did some exploring and noticed they had this in their HTML:

    <input name="price" type="hidden" value="40">


Well, if you know much about Web programming, you know that's an open invitation for someone to change that price to whatever they want and I wrote a couple of lines of Perl (well, 6, to be exact), which changed the price and resubmitted the form and lo!, I could buy Hasslehoff t-shirts for only $5.00. Since finding security holes is a lot more fun than trying to explain to police that you were only kidding, I didn't complete the order, I just noted that I could.

The best, however, is yet to come. Despite the Hoff's programmers having built one of the finest cars in existence, they clearly don't know squat about Web programming. Apparently, their marketing department needs a bit of work, too. Go to that site. Look at the lower left corner. If they still don't have any women's black t-shirts, the message reads "black girls out of stock".

This entry just wouldn't be complete without this.
  • Current Mood: amused amused
Wow. A bit full of himself huh. Now I officially don't like him. LOL
That is some lazy, lazy web-programming.

I wonder what happens if one puts some impolite SQL into that field.
I just checked. Seems they are simply stripping out single quote marks (and doing it on the server side). They lose some info, but in this case it doesn't hurt them.

Curiously, later on in the processing I used the last name of O'Reilly and it kept the single quote mark. Wonder why they switch their behavior on different pages.

(For confused techies, we're discussing SQL injection attacks.)
Ah!
I'd guess that they probably had different contracted coders working on the respective pages with no enforced consistency standards or common tools.

Not that I would know anything about subcontracting for shoddy development houses. (sigh)
I saw that that other day -- watched it in an airport, actually. People in airports get confused when a chick in a business suit starts happily going 'awwwwww' at her laptop... right after a significant flight delay was announced. :)
OMG. That video is the best thing I've seen. I can't stop laughing.