Mar 18 2011

Chipotle Online Order System

I love me a good burrito, and although Chipotle is not my favorite burrito joint, they do have an online order system that makes ordering lunch for a team of hungry, and picky, developers simple. But while scheduling a pick up order for the entire team I felt more like a tester than a customer.

Right on the first page after login in, I encountered infinite navigation loops. At page where I was to order, there is a big red button that read “ORDER NOW.” If you click this button, it reloads the current page you are already on. After trying that trick for a few times I realized I had to select one of the four order methods: online, app, fax, or burritos by the box.

Order Now

Order Now

I then had ‘issues’ adding invitees to my order. Adding invitees is a three step process. You have to add a list of email addresses in the text area, click ‘Add To Invitees’, this then does some AJAX magic and creates a set of check boxes for each invitee and you have to select all before they are actually invited. I can honestly say that I had to this this step a few times to get it right. If done right, each invitee receives an email with a link to order their own meal.

Add Invitees

Add Invitees

One large problem that a few folks had was that they didn’t order what they actually wanted. Unbeknownst to several team members, Chipotle wants users to be explicit about each ingredient in a burrito. A lot of team members just clicked on Chicken and didn’t realize that Chipotle would just give you a piece of tortilla with some chicken. The burrito looked like it had some stunted growth issue, but worst was the faces of the folks that ordered such a mini-burrito. One problem here is that the UI for ordering what goes inside the burrito is cluttered and goes against conventions of ordering a burrito in most taquerias. This mistake happened to three developers, so I can deduce that it is a common error when ordering online from the Chipotle.

Burrito Builder

Burrito Builder

One final issue I encountered was with the pick up of the online order. I didn’t realize or received a message from Chipotle that I had to log into the system after everyone had made their order and check out. When the time came, I just showed up at my local Chipotle to pick up the food but to my surprised they had not received it because I forgot to check out. Of course, I logged onto their website from my phone there was no way for me to see the recent history or pending order. Lucky for me, I was able to reach an hungry developer in the office and asked him to log into their website from my computer and he was able to finalize the order.

In the end, a few folks didn’t get what they expected, the food was late, and I learned a valuable lesson. Next time I’ll just fax the order in.


Mar 30 2010

Top 25 Most Dangerous Programming Errors

I’ve always been interested in understanding common programming errors so that I can easily recognize and diagnose problems, hopefully without spending hours staring at my breakpoints in my debugger. Previously, I’ve written on Common Groovy Errors and Top Worse Java Errors.

The US Department of Homeland Security, under the Common Weakness Enumeration initiative put out the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Most of the errors noted related to web application security programming errors.

  • Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
  • Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  • Cross-Site Request Forgery (CSRF)
  • Improper Access Control (Authorization)
  • Reliance on Untrusted Inputs in a Security Decision
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Unrestricted Upload of File with Dangerous Type
  • Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Missing Encryption of Sensitive Data
  • Use of Hard-coded Credentials
  • Buffer Access with Incorrect Length Value
  • Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
  • Improper Validation of Array Index
  • Improper Check for Unusual or Exceptional Conditions
  • Information Exposure Through an Error Message
  • Integer Overflow or Wraparound
  • Incorrect Calculation of Buffer Size
  • Missing Authentication for Critical Function
  • Download of Code Without Integrity Check
  • Incorrect Permission Assignment for Critical Resource
  • Allocation of Resources Without Limits or Throttling
  • URL Redirection to Untrusted Site (‘Open Redirect’)
  • Use of a Broken or Risky Cryptographic Algorithm
  • Race Condition