• (cs)

    ' this will be used as a dummy, to throw off the wise ' it is a post about nothing

  • (cs)

    At work it sang to me In code it came 22, 7, minus 12 And 620 But do I scream again? For now I see The Phaaaaantom of The System Whiz is here Inside ThankYou.asp

  • zw (unregistered)

    Man 1: Hurry, type in 4 8 15 16 23 42!

    Man 2: Aaaaaaarrrgghhhhh! NO, it's 22, 7, -12, and 620, you moron!

  • R (unregistered)

    I'm having trouble deciding between my dummy response of

    hahahhahahahahahahahhahaha

    and my real response - a long drawn out pained wail, just like the poor phantom of the opera.

  • Carlos92 (unregistered)

    It's sort of obvious that the author is trying to obtain "security by oscurity" instead of using an encryption algorithm with a key that the server keeps in memory or disk.

    The "secrets" are the size of the left and right masks that one has to remove, and the coefficients of a linear equation that one has to solve.

    Not actually obfuscated (as in Perl) but bloated...

  • Carlos92 (unregistered) in reply to Carlos92

    I almost forgot to mention the ludicrous comments and the ugly variable names that don't convey information.

  • (cs)

    The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.

  • Dante Gates (unregistered)

    Just like the 7 layers of hell, there are 7 layers of stupidity:

    1. Ignorance is bliss.

    2. Yes, I'm ignorant, but I think I'll write some code anyway.

    3. I'm ignorant, but I think I'll write some code FOR A WEB SITE, where the whole world can mess with me 7 by 24.

    4. I'm ignorant, but I think I'll write some web code that handles REAL MONEY.

    5. I'm writing a web page that handles money, but I've never heard of hackers.

    6. I know hackers are tricky and evil, but I didn't think they'd stoop so low as to pick up the money I left lying around in my site.

    7. I am fully informed about hackers and how they will try to alter the price, but instead of keeping it where they can't touch it, I'll send it to them anyway using my super-secret, incomprehensible technology, ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

  • a pedant (unregistered) in reply to akatherder
    akatherder:
    The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.

    It's perfectly fine to pass it in the querystring.

    Providing you also keep it on the server and use the server for all calculations, processing, verification.

    Putting it in the querystring or cookie means you could have a cached static page use JavaScript to display the shopping cart details and total. This means that if you have a 100% commerce website you could make little JavaScript libs to show the cart everywhere without having to make the entire site dynamic. Further, if you have 3rd party partner sites, you could use JavaScript to still show the cart on those sites without giving them access to your pages.

    Seems fine to me.

    Providing you work with the server values and only use the querystring, cookie, etc for presentation.

  • (cs)

    My power over you grows stronger yet ... And though you turn from me, to glance behind, the Phantom of the System is there - INSIDE your mind ...

  • Gorfblot (unregistered) in reply to a pedant
    a pedant:
    Providing you work with the server values and only use the querystring, cookie, etc for presentation.

    Nobody could possibly be stupid enough to rely on the client to tell you how much to charge.

    (I was almost able to type that with a straight face...)

  • (cs) in reply to a pedant
    a pedant:
    Providing you work with the server values and only use the querystring, cookie, etc for presentation.

    That seems silly. You have access to the server values and you're using those for calculation on the back-end. Just present the real values to the customer.

    I guess you could get away with presenting the real values on a final "confirmation" page and let the user play with cookies/querystring during checkout. But you're on the hook if the page says "Do you agree to let us charge your credit card $1.00 for your Xbox 360?".

  • (cs) in reply to Dante Gates

    We really need to come up with a better generation of goggles.

    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...in comments that aren't sent to the client browser.
  • Dante Gates (unregistered) in reply to Zecc
    Zecc:
    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...which isn't sent to the client browser.
    Then how does the browser decode and display the true price on the thank you page?
  • ThisIsMe (unregistered)

    "Masquerade" ;)

  • (cs)

    This pretty much reminds me of those numerical games that we used to play as little kids -- you know, "Think of a number, then multiply it by your birth date and subtract two" type games. The only substantive difference is that this guy doesn't seem to be able to perform the actual arithmetic.

    Still, it's possibly nice to know that one of my more idiotic friends from fifth grade is out there performing a valuable service for society.

  • NeoMojo (unregistered) in reply to Dante Gates
    Dante Gates:
    Zecc:
    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...which isn't sent to the client browser.
    Then how does the browser decode and display the true price on the thank you page?

    in the server side script of the thank you page. It doesn't need to have the calculation in the client side script.

  • Steve (unregistered) in reply to bitblit
    bitblit:
    At work it sang to me In code it came 22, 7, minus 12 And 620 But do I scream again? For now I see The Phaaaaantom of The System Whiz is here Inside ThankYou.asp
    Bravo! Take a bow.

    I laughed. . .

    . . . and I can't stand Phantom of the Opera.

  • [email protected] (unregistered) in reply to Dante Gates
    Dante Gates:
    Zecc:
    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...which isn't sent to the client browser.
    Then how does the browser decode and display the true price on the thank you page?
    ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.
  • robd (unregistered)

    first!

  • (cs) in reply to akatherder
    akatherder:
    The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.
    At least it wasn't sent as the total though: it was sent as the tracking code. And NO-ONE would think of playing with the tracking could (would they?). What I find odd is that he went to all that trouble to mess with the actual total, but didn't think to multiply it by 100 first to get rid of the decimal places...
  • jkupski (unregistered) in reply to bitblit
    bitblit:
    At work it sang to me In code it came 22, 7, minus 12 And 620 But do I scream again? For now I see The Phaaaaantom of The System Whiz is here Inside ThankYou.asp

    Think of this, think of this bad code When you write your scripts Remember this: never write code while on an acid trip

    We told you that your code was horrible But to this you were quite deaf So now you see your name on The daily WTF!

  • (cs)
    The code churning within The System was so intricate and complex that only "The Whiz" (who, consequently, was also the author of The System) could possibly understand and maintain it.
    I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?
  • (cs)

    Fricking amateurs. If you can't do crypto, don't try, because you're only going to be making yourself look like a fool down the line. I consider myself pretty knowledgeable, and I wouldn't even dream of trying to roll my own, due to my lack of an advanced degree in mathematics.

    The real WTF is that he thought he needed to obfuscate the fricking order total...If someone was monitoring your connection, and possessed a calculator, they could surely figure it out for themselves...even if you (radically) went to ssl when you started the checkout process.

  • (cs)

    Phantom of the Opera - where it's okay to romanticize stalkers.

  • JoeyLemur (unregistered)

    I wonder if HR would have words with me if I started referring to the admin across the aisle from me as Christine...

  • (cs)

    Having dealt with systems similar to this, at least "The Whiz" used okay (not great) variable names. Try dealing with something similar to this that uses barely any indentation at all, dozens of include files per page, VBScript subroutines that take a reference to the object they work with and instantiate it instead of returning the thing, and variable names that seem to have been stripped of all vowels, and you'll long for the beautiful misery of "The System"

  • John (unregistered)

    I was once tasked with maintaining an ASP/VBScript that allowed users to construct an order worth on average ~£30,000. It then had an editable field where they could overtype this value with whatever value they liked... When I tried it out, I typed in 0 (zero) and hit submit, fortunately it prevented me doing this.

    Intrigued as to why this was editable, I delved a little deeper, to my horror it only prevented the user from typing in their own value if the input value caused the deal to give a negative profit (or loss!), so as long as you are not too greedy about the discount you wish to give yourself... you can have it at cost price. (A hefty 55% discount on average)

  • (cs) in reply to Code Dependent
    Code Dependent:
    I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

    As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

  • (cs)

    Lloyd WWWeber.

    Ergh.

  • h (unregistered) in reply to KenW
    KenW:
    Code Dependent:
    I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

    As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

    Yes, but then the whole pedantic system falls apart, and this guys mean nothing to society anymore... oh wait.

  • (cs) in reply to KenW
    KenW:
    As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.
    It's okay, Ken, I wasn't expecting it to be corrected. I just get a kick out of pointing it out. Plus, pedantry's so uniquely qualified to get a reaction check, isn't it.
  • Andrew (unregistered)

    He was trying to obfuscate the url so hackers couldn't manipulate it. Looks good to me, i don't see the problem here.

  • TJ (unregistered)

    wouldnt a form post have been easier?

    I am all for security and "code poetry" but i am also an extremely lazy programmer, i would like it to work correctly with the minimum amount of effort from me or the system

  • Shill (unregistered) in reply to Code Dependent
    Code Dependent:
    The code churning within The System was so intricate and complex that only "The Whiz" (who, consequently, was also the author of The System) could possibly understand and maintain it.
    I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

    I think the word everyone was looking for was necessarily.

  • RH (unregistered) in reply to Andrew
    Andrew:
    He was trying to obfuscate the url so hackers couldn't manipulate it. Looks good to me, i don't see the problem here.

    BEFORE ANYONE ACTUALLY REPLIES TO THIS, CONSIDER THE VERY LIKELY POSSIBILITY IT'S A TROLL AND FEEDING TROLLS IS BAD BECAUSE IT BEGETS MORE TROLLS

  • (cs) in reply to jkupski
    jkupski:
    Think of this, think of this bad code When you write your scripts Remember this: never write code while on an acid trip

    We told you that your code was horrible But to this you were quite deaf So now you see your name on The daily WTF!

    I nominate this for a Tony.

  • (cs) in reply to Shill
    Shill:
    I think the word everyone was looking for was necessarily.
    Not necessarily.*

    *You set that up on purpose.

  • Anonymouse (unregistered) in reply to Shill

    Er, it's pretty clear that the intended word was coincidentally.

    "... The Whiz (who, coincidentally, was also the author of The System)..."

    See, there's sarcasm in them thar hills.

  • Chris (unregistered) in reply to [email protected]
    Dante Gates:
    Zecc:
    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...which isn't sent to the client browser.
    Then how does the browser decode and display the true price on the thank you page?
    ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.
    I guess you forgot about (or are oblivious to) the multiple known vulnerabilities in ISS + ASP which cause the web server to dump the source of the file to the web browser, rather than interpret/execute it.

    I won't go into detail, but I have used one of the known issues to break at least one system that ran on ISS with ASP.

    Relying on the client to send you anything other than something that they NEED to send you is folly, indeed. All totals, etc should be tracked ON THE SERVER, never relying on the client to pass the right data (even if it is obfuscated), because you never know when your web server might spit out the source of your page and make it very easy for someone to figure out what sort of incantation to invoke to make your program theirs. :p

  • (cs)
    With not a single line containing anything even resembling a function or subroutine.
    Sounds like we all know who "The Whiz" was. Spectate, are you listening?
  • Max Romantschuk (unregistered) in reply to real_aardvark

    I'm unfortunately also all too familiar with this approach. I've used a system which obfuscates all URLs to a ?foo=000013421 where foo is a number chosen more or less randomly and only valid for your session.

    It's more secure like that, it seems... But it also makes every single support email rather useless, when no URL sent by anyone will work for anyone else... Some people seem to thrive on making things difficult for every one else.

  • (cs)

    maskerAmount = oTotal*4340 + 88040 //where oTotal is not huge, ie. less than about 500K

    I love that he chose to multiply everything by 620!

    As being divisible by 10 adds and obvious "0" digit for any would-be script kiddies to note strangle occuring in EVERY masked amount, and the numbers to the left hand side of this then always being even, well that's a huge clue as to the obfuscation method being used IMHO!

  • (cs) in reply to Satanicpuppy
    Satanicpuppy:
    The real WTF is that he thought he needed to obfuscate the fricking order total...
    No, the real WTF is what this need hints at: the order total is probably sent back to the server and used for billing, meaning that if someone defeats the Whiz's mighty crypto skillz and manipulates the HTTP request, they can make it so that they actually billed only $0.01 for any order.
  • An Old Hacker (unregistered) in reply to Satanicpuppy
    Satanicpuppy:
    Fricking amateurs. If you can't do crypto, don't try, because you're only going to be making yourself look like a fool down the line. I consider myself pretty knowledgeable, and I wouldn't even dream of trying to roll my own, due to my lack of an advanced degree in mathematics.

    The real WTF is that he thought he needed to obfuscate the fricking order total...If someone was monitoring your connection, and possessed a calculator, they could surely figure it out for themselves...even if you (radically) went to ssl when you started the checkout process.

    Ummm... I have an advanced degree in mathematics. And I don't dream of it either, because I majored in topology, not number theory. Seriously, people, stick with published, peer-reviewed methods. Go back every couple of years to see if you need to replace anything due to uncovered vulnerabilities. Same thing with getting cute with randomness. Use approved libraries, but only after you have read up on their characteristics and consider them to be acceptable.

  • Kevin (unregistered)

    There are multiple WTFs in this story.

    1.) The complete method here is wrong! OrderProcessing.foo should process the order (as the name implies), then display the thank you, that way this kind of obfuscation is unnecessary.

    2.) If the total is 155.72, and you pad it on both sides with numbers, you will get a stupid total with tenths, hundreths, and thousandths of a cent! (2943155.7230843)

    3.) We won't even go into the total irresponsible nature of this application - especially the fact that it was programmed in VBScript & ASP.

    --Kevin

  • (cs)

    TRWTF is that The Wiz makes such big efforts to hide the total amount of an order. What the heck is so secret about it?

  • (cs) in reply to [email protected]
    Dante Gates:
    Zecc:
    Dante Gates:
    ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
    ...which isn't sent to the client browser.
    Then how does the browser decode and display the true price on the thank you page?
    ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.

    No, not the code. But the order total should be shown at a certain point.

  • Blaufish (unregistered)

    A certain system I debugged has similarly mysterious URL-altering-functions (although not as uggly as the implementation posted here).

    I asked a skilled guy who still remembered The Days of Creation, and it was multi-purpose; main feature was to prevent caching (according to tests/rumors, none of the pragma variants worked very well in the old days when HTTP Proxies was new; user's got cached web page copies (including user specific data) from proxies. Until the invention of the URL randomizing was introduced, that is.

    Legacy is horrible.

  • (cs) in reply to Code Dependent
    Code Dependent:
    KenW:
    As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.
    It's okay, Ken, I wasn't expecting it to be corrected. I just get a kick out of pointing it out. Plus, pedantry's so uniquely qualified to get a reaction check, isn't it.
    Well, as usual, KenW has correctly picked on a thoroughly miserable specimen of so-called humanity whose mental deficiencies are visible to anyone with a functional, yet thoroughly unimaginative, blog moniker. As usual, he has totally missed the point.

    This Grammar Nazi thing you have about the use of "consequently," and the related implication of cause and effect: you have completely missed the point. Using my Code Smell ninja powers of analysis, this is clearly not an example of one-way cryptography: therefore the arrow of time does not apply. Since it is obviously impossible for anybody to be dense enough to write this "function" in the normal sense of time, the "function" must have existed before its author. Consequently we need to reverse the arrow of time -- I have this conclusion on the authority of no less a person than Sherlock Holmes -- and conclude that the code is, indeed, the cause of the author.

    I hope you feel properly ashamed of yourself for not realising this. And I'm not going to stand for any "no shit, Sherlock" retorts, either.

Leave a comment on “Classic WTF: The Phantom of The System”

Log In or post as a guest

Replying to comment #:

« Return to Article