Comment On Classic WTF: The Phantom of The System

' this will be used as a dummy, to throw off the wise
' it is a post about nothing

At work it sang to me
In code it came
22, 7, minus 12
And 620
But do I scream again?
For now I see
The Phaaaaantom of The System Whiz is here
Inside ThankYou.asp

Man 1: Hurry, type in 4 8 15 16 23 42!

Man 2: Aaaaaaarrrgghhhhh! NO, it's 22, 7, -12, and 620, you moron!

I'm having trouble deciding between my dummy response of

hahahhahahahahahahahhahaha

and my real response - a long drawn out pained wail, just like the poor phantom of the opera.

I almost forgot to mention the ludicrous comments and the ugly variable names that don't convey information.

The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.

Just like the 7 layers of hell, there are 7 layers of stupidity:

1. Ignorance is bliss.

2. Yes, I'm ignorant, but I think I'll write some code anyway.

3. I'm ignorant, but I think I'll write some code FOR A WEB SITE, where the whole world can mess with me 7 by 24.

4. I'm ignorant, but I think I'll write some web code that handles REAL MONEY.

5. I'm writing a web page that handles money, but I've never heard of hackers.

6. I know hackers are tricky and evil, but I didn't think they'd stoop so low as to pick up the money I left lying around in my site.

7. I am fully informed about hackers and how they will try to alter the price, but instead of keeping it where they can't touch it, I'll send it to them anyway using my super-secret, incomprehensible technology, ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

akatherder:

The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.

It's perfectly fine to pass it in the querystring.

Providing you also keep it on the server and use the server for all calculations, processing, verification.

Putting it in the querystring or cookie means you could have a cached static page use JavaScript to display the shopping cart details and total. This means that if you have a 100% commerce website you could make little JavaScript libs to show the cart everywhere without having to make the entire site dynamic. Further, if you have 3rd party partner sites, you could use JavaScript to still show the cart on those sites without giving them access to your pages.

Seems fine to me.

Providing you work with the server values and only use the querystring, cookie, etc for presentation.

My power over you grows stronger yet ...
And though you turn from me, to glance behind,
the Phantom of the System is there - INSIDE your mind ...

a pedant:

Providing you work with the server values and only use the querystring, cookie, etc for presentation.

Nobody could possibly be stupid enough to rely on the client to tell you how much to charge.

(I was almost able to type that with a straight face...)

a pedant:

Providing you work with the server values and only use the querystring, cookie, etc for presentation.

That seems silly. You have access to the server values and you're using those for calculation on the back-end. Just present the real values to the customer.

I guess you could get away with presenting the real values on a final "confirmation" page and let the user play with cookies/querystring during checkout. But you're on the hook if the page says "Do you agree to let us charge your credit card $1.00 for your Xbox 360?".

We really need to come up with a better generation of goggles.

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...in comments that aren't sent to the client browser.

Zecc:

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...which isn't sent to the client browser.

Then how does the browser decode and display the true price on the thank you page?

"Masquerade"
;)

Dante Gates:

Zecc:

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...which isn't sent to the client browser.

Then how does the browser decode and display the true price on the thank you page?

in the server side script of the thank you page. It doesn't need to have the calculation in the client side script.

bitblit:

At work it sang to me
In code it came
22, 7, minus 12
And 620
But do I scream again?
For now I see
The Phaaaaantom of The System Whiz is here
Inside ThankYou.asp

Bravo! Take a bow.

I laughed. . .

. . . and I can't stand Phantom of the Opera.

Dante Gates:

Zecc:

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...which isn't sent to the client browser.

Then how does the browser decode and display the true price on the thank you page?

ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.

first!

akatherder:

The encoding/encrypting/obfuscating is bad enough, but it's a programming sin to pass a total in the querystring.

At least it wasn't sent as the total though: it was sent as the tracking code. And NO-ONE would think of playing with the tracking could (would they?). What I find odd is that he went to all that trouble to mess with the actual total, but didn't think to multiply it by 100 first to get rid of the decimal places...

bitblit:

At work it sang to me
In code it came
22, 7, minus 12
And 620
But do I scream again?
For now I see
The Phaaaaantom of The System Whiz is here
Inside ThankYou.asp

Think of this, think of this bad code
When you write your scripts
Remember this: never write code while on an acid trip

We told you that your code was horrible
But to this you were quite deaf
So now you see your name on
The daily WTF!

The code churning within The System was so intricate and complex that only "The Whiz" (who, consequently, was also the author of The System) could possibly understand and maintain it.

I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

Fricking amateurs. If you can't do crypto, don't try, because you're only going to be making yourself look like a fool down the line. I consider myself pretty knowledgeable, and I wouldn't even dream of trying to roll my own, due to my lack of an advanced degree in mathematics.

The real WTF is that he thought he needed to obfuscate the fricking order total...If someone was monitoring your connection, and possessed a calculator, they could surely figure it out for themselves...even if you (radically) went to ssl when you started the checkout process.

Phantom of the Opera - where it's okay to romanticize stalkers.

I wonder if HR would have words with me if I started referring to the admin across the aisle from me as Christine...

Having dealt with systems similar to this, at least "The Whiz" used okay (not great) variable names. Try dealing with something similar to this that uses barely any indentation at all, dozens of include files per page, VBScript subroutines that take a reference to the object they work with and instantiate it instead of returning the thing, and variable names that seem to have been stripped of all vowels, and you'll long for the beautiful misery of "The System"

I was once tasked with maintaining an ASP/VBScript that allowed users to construct an order worth on average ~£30,000. It then had an editable field where they could overtype this value with whatever value they liked... When I tried it out, I typed in 0 (zero) and hit submit, fortunately it prevented me doing this.

Intrigued as to why this was editable, I delved a little deeper, to my horror it only prevented the user from typing in their own value if the input value caused the deal to give a negative profit (or loss!), so as long as you are not too greedy about the discount you wish to give yourself... you can have it at cost price. (A hefty 55% discount on average)

Code Dependent:

I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

Lloyd WWWeber.

Ergh.

KenW:

Code Dependent:

I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

Yes, but then the whole pedantic system falls apart, and this guys mean nothing to society anymore... oh wait.

KenW:

As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

It's okay, Ken, I wasn't expecting it to be corrected. I just get a kick out of pointing it out. Plus, pedantry's so uniquely qualified to get a reaction check, isn't it.

He was trying to obfuscate the url so hackers couldn't manipulate it. Looks good to me, i don't see the problem here.

wouldnt a form post have been easier?

I am all for security and "code poetry" but i am also an extremely lazy programmer, i would like it to work correctly with the minimum amount of effort from me or the system

Code Dependent:

The code churning within The System was so intricate and complex that only "The Whiz" (who, consequently, was also the author of The System) could possibly understand and maintain it.

I doubt that being the author of The System was a consequence of being the only one who could understand it. The other way around, maybe. Perhaps you meant to say, "who, coincidentally, was also the author"?

I think the word everyone was looking for was necessarily.

Andrew:

He was trying to obfuscate the url so hackers couldn't manipulate it. Looks good to me, i don't see the problem here.

BEFORE ANYONE ACTUALLY REPLIES TO THIS, CONSIDER THE VERY LIKELY POSSIBILITY IT'S A TROLL AND FEEDING TROLLS IS BAD BECAUSE IT BEGETS MORE TROLLS

jkupski:

Think of this, think of this bad code
When you write your scripts
Remember this: never write code while on an acid trip

We told you that your code was horrible
But to this you were quite deaf
So now you see your name on
The daily WTF!

I nominate this for a Tony.

Shill:

I think the word everyone was looking for was necessarily.

Not necessarily.*






*You set that up on purpose.

Er, it's pretty clear that the intended word was coincidentally.

"... The Whiz (who, coincidentally, was also the author of The System)..."

See, there's sarcasm in them thar hills.

MadJo@Work:

Dante Gates:

Zecc:

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...which isn't sent to the client browser.

Then how does the browser decode and display the true price on the thank you page?

ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.

I guess you forgot about (or are oblivious to) the multiple known vulnerabilities in ISS + ASP which cause the web server to dump the source of the file to the web browser, rather than interpret/execute it.

I won't go into detail, but I have used one of the known issues to break at least one system that ran on ISS with ASP.

Relying on the client to send you anything other than something that they NEED to send you is folly, indeed. All totals, etc should be tracked ON THE SERVER, never relying on the client to pass the right data (even if it is obfuscated), because you never know when your web server might spit out the source of your page and make it *very* easy for someone to figure out what sort of incantation to invoke to make your program theirs. :p

With not a single line containing anything even resembling a function or subroutine.

Sounds like we all know who "The Whiz" was. Spectate, are you listening?

I'm unfortunately also all too familiar with this approach. I've used a system which obfuscates all URLs to a ?foo=000013421 where foo is a number chosen more or less randomly and only valid for your session.

It's more secure like that, it seems... But it also makes every single support email rather useless, when no URL sent by anyone will work for anyone else... Some people seem to thrive on making things difficult for every one else.

maskerAmount = oTotal*4340 + 88040 //where oTotal is not huge, ie. less than about 500K

I love that he chose to multiply everything by 620!

As being divisible by 10 adds and obvious "0" digit for any would-be script kiddies to note strangle occuring in EVERY masked amount, and the numbers to the left hand side of this then always being even, well that's a huge clue as to the obfuscation method being used IMHO!

Satanicpuppy:

The real WTF is that he thought he needed to obfuscate the fricking order total...

No, the real WTF is what this need hints at: the order total is probably sent back to the server and used for billing, meaning that if someone defeats the Whiz's mighty crypto skillz and manipulates the HTTP request, they can make it so that they actually billed only $0.01 for any order.

Satanicpuppy:

Fricking amateurs. If you can't do crypto, don't try, because you're only going to be making yourself look like a fool down the line. I consider myself pretty knowledgeable, and I wouldn't even dream of trying to roll my own, due to my lack of an advanced degree in mathematics.

The real WTF is that he thought he needed to obfuscate the fricking order total...If someone was monitoring your connection, and possessed a calculator, they could surely figure it out for themselves...even if you (radically) went to ssl when you started the checkout process.

Ummm... I _have_ an advanced degree in mathematics. And I don't dream of it either, because I majored in topology, not number theory. Seriously, people, stick with published, peer-reviewed methods. Go back every couple of years to see if you need to replace anything due to uncovered vulnerabilities. Same thing with getting cute with randomness. Use approved libraries, but only after you have read up on their characteristics and consider them to be acceptable.

There are multiple WTFs in this story.

1.) The complete method here is wrong! OrderProcessing.foo should process the order (as the name implies), then display the thank you, that way this kind of obfuscation is unnecessary.

2.) If the total is 155.72, and you pad it on both sides with numbers, you will get a stupid total with tenths, hundreths, and thousandths of a cent! (2943155.7230843)

3.) We won't even go into the total irresponsible nature of this application - especially the fact that it was programmed in VBScript & ASP.

--Kevin

TRWTF is that The Wiz makes such big efforts to hide the total amount of an order. What the heck is so secret about it?

MadJo@Work:

Dante Gates:

Zecc:

Dante Gates:

ALONG WITH THE INSTRUCTIONS TO DECODE THE PRICE in the script of the page.

...which isn't sent to the client browser.

Then how does the browser decode and display the true price on the thank you page?

ASP comments won't get shown in the sourcecode viewer in your browser. In fact no ASP code gets shown there.

No, not the code. But the order total should be shown at a certain point.

A certain system I debugged has similarly mysterious URL-altering-functions (although not as uggly as the implementation posted here).

I asked a skilled guy who still remembered The Days of Creation, and it was multi-purpose; main feature was to prevent caching (according to tests/rumors, none of the pragma variants worked very well in the old days when HTTP Proxies was new; user's got cached web page copies (including user specific data) from proxies. Until the invention of the URL randomizing was introduced, that is.

Legacy is horrible.

Code Dependent:

KenW:

As this is a re-publication of something that appeared three years ago, perhaps the pedantry should be posted to the original post instead of here.

It's okay, Ken, I wasn't expecting it to be corrected. I just get a kick out of pointing it out. Plus, pedantry's so uniquely qualified to get a reaction check, isn't it.

Well, as usual, KenW has correctly picked on a thoroughly miserable specimen of so-called humanity whose mental deficiencies are visible to anyone with a functional, yet thoroughly unimaginative, blog moniker. As usual, he has totally missed the point.

This Grammar Nazi thing you have about the use of "consequently," and the related implication of cause and effect: you have completely missed the point. Using my Code Smell ninja powers of analysis, this is clearly not an example of one-way cryptography: therefore the arrow of time does not apply. Since it is obviously impossible for anybody to be dense enough to write this "function" in the normal sense of time, the "function" must have existed before its author. Consequently we need to reverse the arrow of time -- I have this conclusion on the authority of no less a person than Sherlock Holmes -- and conclude that the code is, indeed, the cause of the author.

I hope you feel properly ashamed of yourself for not realising this. And I'm not going to stand for any "no shit, Sherlock" retorts, either.