- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I'm not sure that I agree about "send data" being better than "generate code", but what's sure is that the server code that is "generating" should send only the code necessary to run with the given settings, so instead of sending this:
just send a call to some_code() or a call to some_other_code(), as required by the value of configuration_value_as_literal.
Why? It conceals information that attackers might find useful, since they don't see that there even is an option, nor a difference in behaviour, nor what the "not for you, Chuckles" behaviour even is. Sending the if() and the two sets of code is an information leak, and sending data also facilitates the attacker attacking the code he shouldn't be allowed to use, because it's easier to use the JS console to modify the data than it is to use the console to modify the script.
Admin
if ( true + true === 2 ) { // leave a comment }
Admin
Without more context (was this code spotted in a codebase ? on a live website ?), it’s hard to judge how much of a WTF it is.
A legitimate case for this code to appear would be in development mode with environment variables injected in the source code. Like
if (process.env.DISABLE_PASSWORD_AUTH === 'Y') { … }. In development mode theprocess.env.xxxwould get replaced, but the dead code would not be eliminated (because minification is unnecessary in this context). In production, the generated code would be cleaned and minified. Depending of the variable, it can be more relevant than keeping all the code and loading the variable from the backend (e.g. react debugging code that gets stripped in production env).Though in this case, it’s still would be weird to disable inputs based on an environment variable.
Admin
if (x==false OR 1)
Admin
#define false 0 #define true !false
Admin
Maybe programming languages should have 'always' and 'never' introduced as new keywords...
Admin
C++ does this.
Admin
And apparently the comments here remove the star symbol required for comments.
Admin
FULLZ UPDATED 2026 USA UK CANADA SSN NIN SIN INFO with ADDRESS DL Photos front & back with Selfie Passport Photos IT|SP|RUS|AUS|BR|FR amny Countries DL photos available
Children FUllz USA 2011-2023 Young & Old age FUllz 1930-2010 High CS Pros 700+ Comapny EIN Business Fullz LLC EIN Docs with DL Dead Fullz CC with CVV & Billin Address
NIN Fullz with Address NIN Fullz with address Sort Code & Account number NIN UK Fullz with DL UK DL photos front back with Selfie UK Passport Photos UK CC fullz
SIN Fullz with Address Canada DL Photos Front Back with Selfie CA Passpoprt Photos CA Email & Phone Number Active Leads Live CA Fullz
Germany|Spain|Australia Fullz with Address & DOB Email Leads (Forex, Crypto, Casino, Investors, CEO's, Crypto, Crypto Exchanges) Sweep Stakes Active Combos & B2B Leads
Tools & Tutorials available Carding Cash Out Scripting Spa--mming SMTP RDP C-panels Shells Web-Mailers SMS & Email Bulk Senders Look-Up Tutorials
Telegram@killhacks - @ leadsupplier What's App - (+1) 727..788..6129 TG Channel - t.me/leadsproviderworldwide Discord - @ leads.seller VK Messenger - @ leadsupplier Signal - @ killhacks.90 Zangi - 17-7369-4210 Email - exploit.tools4u at gmail dot com https://about.me/gilberthong
Many Other Stuff available in our shop Active & Live Fullz with guarantee Providing Replacements if anything found invalid Available 24/7
#fulz #leads #emailleads #sweepstakes #cryptoleads #casinoleads #ssnleads #dlphoto #usaleads #canadaleads #fullzusa #fullzuk #whatsapp #facebook #activeleads #ccshop #cvvdumps #usadocs #highcreditscorefullz #eincompanydocs #kycstuff #infokyc #validfullz #validvendor