GoPubby - Problem and Solution

I came across this problem while I was coding, and it bugged me for a very long time. After the launch of stocks on our website, it is possible to find a loophole when one is purchasing shares of stock. You see, when you purchase a share, the input fields with the stock information are disabled so you can’t modify the price. However, while I was testing the URL for the site, I noticed that a user could just simply change the price of the stock in the URL and instantly get rich if they make each stock one dollar. So this was a serious problem and I got to work right away. Beforehand, I passed the stock price through the URL and used that price in the form. I tried to fix it by hiding the numbers in the URL. That didn’t work. After many attempts, I thought of another method. Why couldn’t I just use the price from the previous page, the page that listed all of the stocks? I queried the dictionary and found the real price and used that in the form. Now even if a sneaky user tried to bypass the price of the stock by changing the URL, once they hit submit, it will show an error because the price in the URL didn’t match the price I had in the dictionary. The important lesson I learned from this experience was to consistently attack a bug in all sorts of perspectives until one worked out. When one try didn’t work, I didn’t give up and thought of a new plan.

Problem and Solution

Daily Deals

Links