- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
So he should have just checked for articleID.contains("x")?
P.S. First time I've encountered "hex" crypto!
Admin
It's quite normal when an encryption process returns binary data, to encode it in hex format for display. This is not "hex" crypto.
Admin
I guess that the prefix came in after the function was written. With no (or insufficient) unit tests, it is easy to overlook the difference.
Than again - why "ciphering" it with using Hex? Not to mention the obvious WTF of wrong detection...
Admin
Admin
Hexadecimal numbers != encryption
Admin
Hex crypography is the best and has always been !
Admin
Catching java.util.Exception — check.
Admin
Which is why I specifically said it was encrypted and represented as a hexadecimal number. To put it another way, it was encrypted and then base-16 encoded (as opposed to base-64). It was not converted into a hexadecimal as if that were encryption.
Although, if it were, that would definitely be a WTF. I've seen people use Base-64 as if it were an encryption algorithm.
Admin
Hex-encoding is good in that it allows you to use only URL-safe characters. Sure, you could use the URL-safe Base64 variant, or base-62, or base-32, but hey, base-16 is sure enough. At least it looks like a number (while in fact it's a binary string).
Captcha: abbas - We once organized a band mockup contest. Several Queens arrived, one or two Princes, and even a few Abbas.
Admin
I want to look at the file "DEADBABE" but it keeps telling me it's encrypted ...
Admin
A name like that? I'm sure somebody cracked the encryption and posted it to 4chan.
Admin
"it’d be difficult to tell an integer from a hexadecimal"
at least decimal integers.
Admin
As someone with a clue in security and in cryptography, I anticipate a WTF every when I hear a sentence begining in "For security, we encrypt". 50% chance they just encoded it. 1/5 chance it contains crictical data for the session. 99% chance they don't check the integrity of the decrypted information before using it.
Admin
Admin
I shall try to recreate the mental process that may lead to such code WTF:
"Oh, I see, some IDs have to be decoded right? Well I'll start with a function that decodes them!"
int decode(sting id){ if (not id.startswith('0x')) throw exception #extra check strip_first_two_digits(id) return decode_hex(id) }"Well that was easy! Now to write the main code. Hmm how can I tell if I should pass the ID to the function or not... it's important not to repeat any code. DRY, always follow that... doing the same thing twice is clearly not efficient. And the other function already processes the 0x, so I'll check if it's an hex directly, by seeing if it has letters! Brilliant! Now what is the best way to implement that..."
Admin
...and...?
ROT3 is an encryption algorithm (as is ROT13).
Whether it's sufficient for the intended purpose is another matter.
Admin
Another Remy article with no html comments and no sparkly ponies. I am really let down today.. :(
Admin
(Bonus points if the code actually checks for successful decryption. Double-double if the programmer figures out a way to create a test case for that code path.)
Admin
Ridiculous. At that in the time when writing it down would be encryption enough!
Admin
I'm calling it a fake!
Admin
I'm not into that stuff. I prefer plain B00B1E5.
Admin
Admin
I've seen sites that ROT13 and then BASE64 the plaintext. Extra double happy fun encryption that one!
Admin
Admin
Admin
Is the end result plain text? No? Well, I guess it's encrypted.
As before, YMMV depending on what you consider "sufficient for the intended purpose".
Admin
Just look up the history of cryptography. ROT-n WAS (one of?) the first ciphers used in practice.
captcha "luctus" - I feel at home
Admin
Admin
Admin
You're not the only one. I for one enjoy looking through the html for comments.
esse
Admin
Duh. He should have made it lower case first. Sheesh! So stupid.
Admin
"based on the integer ID passed" isn't this breaking the rule about integers and IDs?
Unless it's used for mathematics it's a string.
Admin
Don't forget though that just because it contains digits or hex digits and therefore looks like a number, doesn't mean it is one or should be stored as one. Unless you plan to do numeric calculations or operations with it, it is really a string and should be stored and handled as one....
Admin
You sure it wasn't ROT-13? Are you dizzy blud?
Admin
Did anyone else find the comment at the top misleading? I assumed that the commented out line was the code being replaced, and it looked as if the author checked for [A-Fa-f], then did the exact same thing as the previous implementation, otherwise it did nothing. Did I miss something?
RE: encryption / authentication, unfortunately, without a huge surface area for attack, a motivated attacker, or having your vulnerable site posted here, security by (even the most minimal obscurity) seems to have worked just fine for every freelance client i warn about the SQLI vulnerabilities in their login form (which was developed by some other freelance guy from the subcontinent, not me).
Admin
Remy, do you like mmmmmbananas?
Admin
ok, the "real" WTF for those who don't get it:
They are looking at your "number" and deciding whether or not it is hex by whether it contains any hex digits but forgot that not all hex numbers contain hex digits. So 1f is thirty-one but 20 is always twenty, never 20 hex which is thirty-two.
It seems subsequently they decided using 0x as a prefix was a better option for writing hex literals.
Admin
0B00B1E5 doesn't work on most systems because leading zero means octal. Try 0xB00B1E5, but that doesn't sound nearly as fun.
Admin
184594917
Admin
I've always hated sting data types...so painful to deal with!
Admin
And don't forget CBEEB1E5 - that young kids TV channel.
Admin
I can just hear echoes of him justifying this face-palm monstrosity: "Well they might remove that '0x' in a future release. Then how would we identify a hex number? I'm the best because I plan ahead!"
Sigh
And yet another "encryption" process in the same class as ROT-13 or base-64...
Sigh
Neither security nor quality programming died: Both were clearly stillborn.
Admin
Admin
ROT is an encryption algorithm because it works like an encryption algorithm; you give it a plaintext and a key (3 or 13 in our archtypical examples), and out comes a cyphertext.
BASE64 is not an encryption algorithm because it does not work like an encryption algorithm. You can give it plaintext, and you can call the output 'cyphertext', but there is no key.
ROT, on its own is not an encoding algorithm. Because ROT itself requires a key to be used at all. If we pick a special instance of ROT, namely ROT13 (which is just ROT, but with they key fixed on 13), it is an encoding algorithm, although I cannot think of much use for this particular encoding.
The archtypical emperor did not use '13' as its key. Some people think so because rot13 has this special property that it is its own reverse algorithm (decoding or encoding ROT13 gives the same result). However, this is not true for latin because its alphabet is not 26 characters. Don't ask me how this is a valid argument for a certain person having used it or not though.
All together, however, that is not to say that ROT is a good encryption algorithm.
Admin
and what exactly is wrong with Ox boobies?
Admin
Admin
Admin
So...then ROT is encryption, ROT13 is not? It's encryption until you select a key?
Or...BASE64 is encryption -- the key being 64.
Admin
Admin
If this is my work, I will find the vulnerability in both use cases. How damn easy it is to be exploited by script kiddies is not relevant. When you get your database dumped only once, the harm is done.