Stumbling across a website registration bug

I’m pretty sure I have many more issues with website registrations than the average person. Between sites that don’t recognize abc+filter@domain.com as a valid email address and those with password requirements too weak for my standards, frustration is not uncommon. However, I found a winner tonight where I discovered an actual bug in the implementation of the registration form. All URLs and other information in this post are have been modified for obvious reasons. Anyway, here’s how the story goes:

Upon clicking “Register”, the only thing that happens is a cryptic error code appears at the top of the form. Initially, I figured there was a problem on my end. That happens all of the time too – between Ghostery and a large hosts file blacklist, websites breaking is becoming a near daily occurrence for me. So, I tried again on my laptop using a different browser, where none of the blocking is present, and got the same result. As someone who would rather debug someone else’s website than have to talk to someone over the phone for support, well, that’s exactly what I did.

Next step: try again with Firefox’s network inspector open. Immediate progress when the POST request for submitting the form comes back with a 401 Unauthorized response. You don’t see 401s every day. Ok, it’s probably a server issue, but I’ll look closer anyway. Firefox’s parsing of the request is a dead giveaway that there’s something wrong with the request itself.

form-derp

Why is that JSON split in half with : "" at the end of each line? The mouseover behavior makes it even more clear that it’s trying to parse it as a form with one key: “value” per line. Anyway, the issue happens right where there’s an ‘&’ in the password. There’s no way that’s a coincidence. On a side note, normally, when your password is too long, the site won’t let you keep typing. Not here, nope! Truncated to 16 characters without warning. On another side note, that’s a randomly generated password that, with its failure here, is not used by me anywhere.

What about the full request?

It took a little while for the problem to jump out at me.

That’s clearly not the right content type and would explain the issue. I tried registering again with a new password without an ‘&’ and it worked.

Mystery solved? Maybe. My conclusion is circumstantial. Clearly, there’s a parsing issue at the other end. Whether or not the content type is the sole cause or just bad parsing code in general is unknown.

I found a webmaster@ email and sent them an email. I wonder if I’ll hear back.

Leave a Reply

Your email address will not be published. Required fields are marked *