Don't write your own framework
If you prefer listening over reading, you can listen to this post on YouTube or by subscribing to my podcast feed on Apple Podcasts, Stitcher or Spotify
We were sitting with 5 or 6 backend developers around the large meeting table. It was 10 in the morning on a Monday, and we were all silently working on our laptops. There was a hasty atmosphere, and everyone tried to concentrate on the task ahead.
Less than 2 hours before, I walked into the office, not yet aware of any harm. I was immediately called to the meeting room at the back, there was no time to sit at my desk. Still I quickly grabbed a coffee, and went to the back where a few other colleagues already gathered.
With them was our boss, a nice guy; there wasn't any "upper management" culture or anything, we were just colleagues. The other people in the room already knew what was going on, so he explained to me personally.
Our framework router would take a URL and filter out repeated slashes, so //admin would become /admin. This is, I believe, part of some HTTP spec; at least I was told so, I never double checked. The problem however, was in the authorisation layer: /admin was a protected URL, but //admin was not. So the router would resolve //admin and all its underlying pages to the admin section, and the authoriser wouldn't recognise it as a location you'd need admin privileges for.
