Comment On The Phantom of The System

Mortimer Armstrong and his coworker had always known about The System: a gigantic order entry/processing applications written entirely in ASP/VBScript. The System was so fragile that something as simple as a misplaced "double-click" could bring the whole thing down. The code churning within The System was so intricate and complex that only "The Whiz" (who, consequently, was also the author of The System) could possibly understand and maintain it. After The Whiz had left the company, The System fell into Mortimer's coworker's lap. Amongst countless other things, one thing that he was having such a hard time figuring out was the significance of the mysterious numbers 22, 7, -12, and 620 strewn throughout the code. Then he found this. Amidst 1600 lines VBScript order validation/processing code. With not a single line containing anything even resembling a function or subroutine. [expand full text]
« PrevPage 1 | Page 2Next »

Re: The Phantom of The System

2005-08-03 08:56 • by dhromed
39767 in reply to 39755
Xepol:
As an interesting side note, and a totally
different WTF, who set the limit limit for editing posts to obscenely
small time limits less than 10 seconds??




The forum gremlins.

I don't think there's anything Alex can do.

Re: The Phantom of The System

2005-08-03 10:29 • by David
39772 in reply to 39765

Anonymous:
If maskerAmount is the "masked" amount and maskerDummy is "throw someone off", why is maskerDummy being passed in the Response?


 


It's being passed in a very lame attempt to throw off anyone who knows about query strings from modifying the query string to try and trick the system.  Someone trying to trick the system is more likely to start trying to change the value of "tot" rather than "track", when in reality tot is a dummy value and track is the actual total, but masked.  [sarcasm]Of course we all know that they would only every try to change the value of tot, and never ever any other query string variable. [/sarcasm]

Re: The Phantom of The System

2005-08-03 11:48 • by chocolateBar
39777 in reply to 39716
I can't agree somehow.

Re: The Phantom of The System

2005-08-03 12:54 • by JohnO
39778 in reply to 39686
dubwai:

(999999 - 100000 + 1)


What's the point of doing that calcuation not only once but mutliple times?



What's the point of even doing it once?

Re: The Phantom of The System

2005-08-03 15:09 • by Rank Amateur
39796 in reply to 39778
JohnO:
dubwai:

(999999 - 100000 + 1)


What's the point of doing that calcuation not only once but mutliple times?



What's the point of even doing it once?



Everybody knows the more complicated the encryption the harder it must be to crack. "maskerAmount = ((((oTotal + 22) * 7 )) - 12) * 620" is much harder to crack than "maskerAmount = oTotal  * 4340 + 88040" (or whatever).


--Rank

Re: The Phantom of The System

2005-08-03 16:11 • by JamesCurran
39802 in reply to 39735

Anonymous:
spotcatbug:
Nobody beats The Whiz!

Heheh... kudos for the Seinfeld reference...


Actually, "The Wiz" is (was?) a NYC-area electronics chain store.  The slogan was "Nobody beats the Wiz!"


 

Re: The Phantom of The System

2005-08-03 17:05 • by ammoQ
39807 in reply to 39766
Anonymous:
  1. Anyone trying to defend such methodology (as some have attempted
    to argue that it is reasonable to send the data via the query string)
    merely demonstrates a lack of understanding of what it takes to make
    secure and functional web applications.

  2. Protecting the data from tampering can take many forms: one could
    store the data in SQL Server with a timestamp or guid to provide the
    reference key. Alternatively, one could store it in the Session object
    (or in ASP.NET, one could store it in the ViewState and have enableMac
    property set to true)


Invariably, any web developer who is still doing what this snippet
does, exposing private data in the querystring ought to be publicly
humiliated. They just give web developers a bad name and by no small
measure, we have quite a significant mass of web programmers who are
neither programmers of any decent distinction nor proponents of any
worthwhile methodology.

Re: The Phantom of The System

2005-08-04 07:46 • by lucio

The phantom of the opera is there...


inside your code [:|]

Re: The Phantom of The System

2005-08-04 09:24 • by David
39849 in reply to 39765
The whole point of the response is to throw people off with saying the
'amount=' maskerdummy, when in reality the real total is in
'track='. 

Re: The Phantom of The System

2005-08-04 09:33 • by RobbieGee
39851 in reply to 39705
Relying on query string for any significant input is in general a WTF; what would happen if a user changed qs values and resubmitted this page with maskerAmount=0 or maskerAmount=xxxWTFxxx?


Neither is POST safe. I just had to mention it...



I always code my webapps with the philosophy that everything the user send me (the app) is a _request_ to do something. Once this logic sets in the head, queries like "SELECT name FROM client WHERE clientid = '$clientid';" should set off some alarm bells.



First, is the variable safe? (Assuming PHP) has addslashes() been run on the variable? Using hungarian notation on variables has proved very useful for me. I use the prefix "us" for all unsafe variables and "s" for safe. This way it's much more likely that I'll spot any security hazards.



Second, this is an app where users keep track of their clients and how many hours to charge them for. Where's the check to see if that client "belongs" to the user requesting the name? If there is no such check, users may be able read each others data.


This is much better: "SELECT name FROM client WHERE clientid = '$sClientid' AND owner = '$sUserid' LIMIT 1;"


Just a newcomers two cents.



Btw, love the site :-)

Re: The Phantom of The System

2005-08-04 12:06 • by Apoch
39869 in reply to 39708

JThelen:
While I think Apoch can take YAGNI, and shove it where the sun doesn't shine along with the rest of eXtreme Programming, he certainly has a point regarding the verification of goods in the cart against their current price at the time of checkout.


Heh. Personally, I think XP is a complete travesty, and I loathe it as a development paradigm - but the XP crowd does have some important lessons to teach. Specifically, careful and judicious application of YAGNI (more as a principle of avoiding excess complication than a holy mantra) and a willingness to refactor anything and everything that suggests that it needs it. I've seen a huge boost in code cleanliness in all sorts of projects when these kinds of things are applied.


Screw XP, yes... but rejecting all the teachings of something out of hand just because the whole is stupid is not wise ;-)

Re: The Phantom of The System

2005-08-04 12:28 • by Gene Wirchenko
39871 in reply to 39716
uber1024:
Well, Alex.  I think it's time to shut down your site.  This is never going to be topped, IMO.




You wish.



(Yechnology marches on.)



Sincerely,



Gene Wirchenko



Re: The Phantom of The System

2005-08-04 20:55 • by 8bit
39965 in reply to 39696

Uhm, how about a session variable already?

Re: The Phantom of The System

2005-08-05 20:24 • by mikeb
40132 in reply to 39686
dubwai:

(999999 - 100000 + 1)


What's the point of doing that calcuation not only once but mutliple times?



Those calculations are using an idiom for generating a random number bounded by a lower bound of 100000 and an upper bound of 999999 (ie., a number from 100000 to 999999 inclusive).


The general algorithm is: ((upperBound - lowerBound + 1) * randNum) + lowerBound


Of course, it would have made more sense to put that into a nice little function (assuming VBScript doesn't already have one), but this is one thing in the code that may be a WTF, but not an idiotic WTF.


 

Re: The Phantom of The System

2005-08-08 11:01 • by JThelen
40215 in reply to 39869
Apoch:

JThelen:
While I think Apoch can
take YAGNI, and shove it where the sun doesn't shine along with the
rest of eXtreme Programming, he certainly has a point regarding the
verification of goods in the cart against their current price at the
time of checkout.


Heh. Personally, I think XP is a complete travesty, and I loathe it
as a development paradigm - but the XP crowd does have some important
lessons to teach. Specifically, careful and judicious application of
YAGNI (more as a principle of avoiding excess complication than a holy
mantra) and a willingness to refactor anything and everything that
suggests that it needs it. I've seen a huge boost in code cleanliness
in all sorts of projects when these kinds of things are applied.


Screw XP, yes... but rejecting all the teachings of something out of hand just because the whole is stupid is not wise ;-)





All of the good tenets of XP, such as code reviews, have already been
incorporated elsewhere.  Everything else, such as YAGNI, haven't,
and with good reason.   YAGNI is self existent in good
design;  if it wasn't in the design, then don't code it.  In
other words, it's been around before XP, and will continue to exist
long after that travesty goes away, which we can only hope it
will. 

Re: The Phantom of The System

2005-08-10 19:23 • by Dan
40512 in reply to 39687
Well sure, you could do all that. But W(hy)TF would you expose critical
data like that in the first place? The page that needs the data should
get it from the app, not the request.

Re: The Phantom of The System

2010-12-18 09:08 • by cindy (unregistered)
find for all kinds of watches and handbags

http://replica038.com
« PrevPage 1 | Page 2Next »

Add Comment