Changing Prices in a Web-based Event Registration System
A Web-based event registration system Testware was testing had an online events calendar that displayed all upcoming events in date order. Clicking on an event in the calendar brought up a detail page for that event with a verbose event description, intended audience, location, directions and price information. This detail page also had a "Register Now!" button for each event that took you to a form for registering and paying for the event online. The detail page looked like this:
How were the event details being passed from this event detail page to the registration form? Moving the mouse over the Register Now button revealed a really, really long link. (The link could be seen in the bottom status bar of the browser window.) Right-clicking the link and choosing the Copy Shortcut menu item to copy the link code to the clipboard let us then paste it into Notepad for a closer look. The link code was:
https://somedomain.com/event/register.cgi?ename=How+Secure+are+You? &membcost=20 &noncost=40 &stucost=0 &evtdate=06/19/2001 &evtime=8:30+am &day=19 &month=06 &year=2001 &evtdbid=304
Clicking on this link brings up the registration form. The form had a summary of the event at the top, followed by the usual data entry fields for your contact, company and payment information. The top of the registration form looked like this:
The HTTP GET method is being used here to pass all kinds of data to a server-side CGI script, register.cgi, that processes the registration. The data fields being passed are separated with the ampersand character '&'. Let's dissect the link above and see if we can decipher what the data fields are.
| field name | value | meaning |
| ename | How+Secure+are+You? | event name |
| membcost | 20 | cost to attend for members |
| noncost | 40 | cost to attend for non-members |
| stucost | 0 | cost to attend for students |
| evtdate | 06/19/2001 | event date |
| evtime | 8:30+am | event start time |
| day | 19 | day of month of event |
| month | 06 | month of event |
| year | 2001 | year of event |
| evtdbid | 304 | event ID in server-side database |
Since the link gives us access to the cost information, it's logical to try modifying the original link code and using the edited link to access the registration form. Specifically, let's change the event name, member cost and non-member cost. The edited link (with edited values in red and bold) and resulting registration form are shown below.
https://somedomain.com/event/register.cgi?ename=Not+Too+Secure! &membcost=1 &noncost=2 &stucost=0 &evtdate=06/19/2001 &evtime=8:30+am &day=19 &month=06 &year=2001 &evtdbid=304
This registration form, accessed with the edited link, allowed us to register for the event at a $1 price, instead of the proper $20. This motivated us to ask: Why is the website encoding vital and sensitive pricing information in the link? A better design would be to have the link transmit only the event ID, like
https://somedomain.com/event/register.cgi?evtdbid=304
Then, the CGI script could access the server-side database to pull the event name, date, time and cost information. Why send all of this information as part of the link and then have it sent right back to the server for processing? Why expose the price and other information to user hacking attempts?
Other interesting tests we performed included deleting fields from the link and replacing numeric data (like the event ID) with alphabetic and/or symbol data. In all cases, we expected the website to trap this incomplete or invalid input and present a plain-language error message to the user. It should not crash, malfunction or corrupt data in the database when given "bad" input.