- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
' this will be used as a dummy, to throw off the wise ' it is a post about nothing
Admin
At work it sang to me In code it came 22, 7, minus 12 And 620 But do I scream again? For now I see The Phaaaaantom of The System Whiz is here Inside ThankYou.asp
Admin
Man 1: Hurry, type in 4 8 15 16 23 42!
Man 2: Aaaaaaarrrgghhhhh! NO, it's 22, 7, -12, and 620, you moron!
Admin
I'm having trouble deciding between my dummy response of
hahahhahahahahahahahhahaha
and my real response - a long drawn out pained wail, just like the poor phantom of the opera.
Admin
It's sort of obvious that the author is trying to obtain "security by oscurity" instead of using an encryption algorithm with a key that the server keeps in memory or disk.
The "secrets" are the size of the left and right masks that one has to remove, and the coefficients of a linear equation that one has to solve.
Not actually obfuscated (as in Perl) but bloated...
Admin
I almost forgot to mention the ludicrous comments and the ugly variable names that don't convey information.
Admin
The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.
Admin
Just like the 7 layers of hell, there are 7 layers of stupidity:
Ignorance is bliss.
Yes, I'm ignorant, but I think I'll write some code anyway.
I'm ignorant, but I think I'll write some code FOR A WEB SITE, where the whole world can mess with me 7 by 24.
I'm ignorant, but I think I'll write some web code that handles REAL MONEY.
I'm writing a web page that handles money, but I've never heard of hackers.
I know hackers are tricky and evil, but I didn't think they'd stoop so low as to pick up the money I left lying around in my site.
I am fully informed about hackers and how they will try to alter the price, but instead of keeping it where they can't touch it, I'll send it to them anyway using my super-secret, incomprehensible technology, ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.
Admin
It's perfectly fine to pass it in the querystring.
Providing you also keep it on the server and use the server for all calculations, processing, verification.
Putting it in the querystring or cookie means you could have a cached static page use JavaScript to display the shopping cart details and total. This means that if you have a 100% commerce website you could make little JavaScript libs to show the cart everywhere without having to make the entire site dynamic. Further, if you have 3rd party partner sites, you could use JavaScript to still show the cart on those sites without giving them access to your pages.
Seems fine to me.
Providing you work with the server values and only use the querystring, cookie, etc for presentation.
Admin
My power over you grows stronger yet ... And though you turn from me, to glance behind, the Phantom of the System is there - INSIDE your mind ...
Admin
Nobody could possibly be stupid enough to rely on the client to tell you how much to charge.
(I was almost able to type that with a straight face...)
Admin
That seems silly. You have access to the server values and you're using those for calculation on the back-end. Just present the real values to the customer.
I guess you could get away with presenting the real values on a final "confirmation" page and let the user play with cookies/querystring during checkout. But you're on the hook if the page says "Do you agree to let us charge your credit card $1.00 for your Xbox 360?".
Admin
We really need to come up with a better generation of goggles.
...in comments that aren't sent to the client browser.Admin
Admin
"Masquerade" ;)
Admin
This pretty much reminds me of those numerical games that we used to play as little kids -- you know, "Think of a number, then multiply it by your birth date and subtract two" type games. The only substantive difference is that this guy doesn't seem to be able to perform the actual arithmetic.
Still, it's possibly nice to know that one of my more idiotic friends from fifth grade is out there performing a valuable service for society.
Admin
in the server side script of the thank you page. It doesn't need to have the calculation in the client side script.
Admin
I laughed. . .
. . . and I can't stand Phantom of the Opera.
Admin
Admin
first!
Admin
Admin
Think of this, think of this bad code When you write your scripts Remember this: never write code while on an acid trip
We told you that your code was horrible But to this you were quite deaf So now you see your name on The daily WTF!
Admin
Admin
Fricking amateurs. If you can't do crypto, don't try, because you're only going to be making yourself look like a fool down the line. I consider myself pretty knowledgeable, and I wouldn't even dream of trying to roll my own, due to my lack of an advanced degree in mathematics.
The real WTF is that he thought he needed to obfuscate the fricking order total...If someone was monitoring your connection, and possessed a calculator, they could surely figure it out for themselves...even if you (radically) went to ssl when you started the checkout process.
Admin
Phantom of the Opera - where it's okay to romanticize stalkers.
Admin
I wonder if HR would have words with me if I started referring to the admin across the aisle from me as Christine...
Admin
Having dealt with systems similar to this, at least "The Whiz" used okay (not great) variable names. Try dealing with something similar to this that uses barely any indentation at all, dozens of include files per page, VBScript subroutines that take a reference to the object they work with and instantiate it instead of returning the thing, and variable names that seem to have been stripped of all vowels, and you'll long for the beautiful misery of "The System"
Admin
I was once tasked with maintaining an ASP/VBScript that allowed users to construct an order worth on average ~£30,000. It then had an editable field where they could overtype this value with whatever value they liked... When I tried it out, I typed in 0 (zero) and hit submit, fortunately it prevented me doing this.
Intrigued as to why this was editable, I delved a little deeper, to my horror it only prevented the user from typing in their own value if the input value caused the deal to give a negative profit (or loss!), so as long as you are not too greedy about the discount you wish to give yourself... you can have it at cost price. (A hefty 55% discount on average)
Admin
As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.
Admin
Lloyd WWWeber.
Ergh.
Admin
Admin
Admin
He was trying to obfuscate the url so hackers couldn't manipulate it. Looks good to me, i don't see the problem here.
Admin
wouldnt a form post have been easier?
I am all for security and "code poetry" but i am also an extremely lazy programmer, i would like it to work correctly with the minimum amount of effort from me or the system
Admin
I think the word everyone was looking for was necessarily.
Admin
BEFORE ANYONE ACTUALLY REPLIES TO THIS, CONSIDER THE VERY LIKELY POSSIBILITY IT'S A TROLL AND FEEDING TROLLS IS BAD BECAUSE IT BEGETS MORE TROLLS
Admin
I nominate this for a Tony.
Admin
*You set that up on purpose.
Admin
Er, it's pretty clear that the intended word was coincidentally.
"... The Whiz (who, coincidentally, was also the author of The System)..."
See, there's sarcasm in them thar hills.
Admin
I won't go into detail, but I have used one of the known issues to break at least one system that ran on ISS with ASP.
Relying on the client to send you anything other than something that they NEED to send you is folly, indeed. All totals, etc should be tracked ON THE SERVER, never relying on the client to pass the right data (even if it is obfuscated), because you never know when your web server might spit out the source of your page and make it very easy for someone to figure out what sort of incantation to invoke to make your program theirs. :p
Admin
Admin
I'm unfortunately also all too familiar with this approach. I've used a system which obfuscates all URLs to a ?foo=000013421 where foo is a number chosen more or less randomly and only valid for your session.
It's more secure like that, it seems... But it also makes every single support email rather useless, when no URL sent by anyone will work for anyone else... Some people seem to thrive on making things difficult for every one else.
Admin
maskerAmount = oTotal*4340 + 88040 //where oTotal is not huge, ie. less than about 500K
I love that he chose to multiply everything by 620!
As being divisible by 10 adds and obvious "0" digit for any would-be script kiddies to note strangle occuring in EVERY masked amount, and the numbers to the left hand side of this then always being even, well that's a huge clue as to the obfuscation method being used IMHO!
Admin
Admin
Ummm... I have an advanced degree in mathematics. And I don't dream of it either, because I majored in topology, not number theory. Seriously, people, stick with published, peer-reviewed methods. Go back every couple of years to see if you need to replace anything due to uncovered vulnerabilities. Same thing with getting cute with randomness. Use approved libraries, but only after you have read up on their characteristics and consider them to be acceptable.
Admin
There are multiple WTFs in this story.
1.) The complete method here is wrong! OrderProcessing.foo should process the order (as the name implies), then display the thank you, that way this kind of obfuscation is unnecessary.
2.) If the total is 155.72, and you pad it on both sides with numbers, you will get a stupid total with tenths, hundreths, and thousandths of a cent! (2943155.7230843)
3.) We won't even go into the total irresponsible nature of this application - especially the fact that it was programmed in VBScript & ASP.
--Kevin
Admin
TRWTF is that The Wiz makes such big efforts to hide the total amount of an order. What the heck is so secret about it?
Admin
No, not the code. But the order total should be shown at a certain point.
Admin
A certain system I debugged has similarly mysterious URL-altering-functions (although not as uggly as the implementation posted here).
I asked a skilled guy who still remembered The Days of Creation, and it was multi-purpose; main feature was to prevent caching (according to tests/rumors, none of the pragma variants worked very well in the old days when HTTP Proxies was new; user's got cached web page copies (including user specific data) from proxies. Until the invention of the URL randomizing was introduced, that is.
Legacy is horrible.
Admin
This Grammar Nazi thing you have about the use of "consequently," and the related implication of cause and effect: you have completely missed the point. Using my Code Smell ninja powers of analysis, this is clearly not an example of one-way cryptography: therefore the arrow of time does not apply. Since it is obviously impossible for anybody to be dense enough to write this "function" in the normal sense of time, the "function" must have existed before its author. Consequently we need to reverse the arrow of time -- I have this conclusion on the authority of no less a person than Sherlock Holmes -- and conclude that the code is, indeed, the cause of the author.
I hope you feel properly ashamed of yourself for not realising this. And I'm not going to stand for any "no shit, Sherlock" retorts, either.