Article 2AXX8 freE-Commerce

freE-Commerce

by
Charles Robinson
from The Daily WTF on (#2AXX8)

Douglas had just joined a large eCommerce company that was constructing its own in-house PHP development team. It was a big step for them, as they only relied on cheap freelance c0derz to get things done before. Because of this, Douglas and his cohorts had to maintain a glut of legacy applications made by people who were long gone.

A vast majority of the horrid legacy apps were created by a man simply known as Shayne. The sight of his name in the code comments would send icy chills down Douglas' spine. Shayne was freelance down to the very definition of it. His signature philosophy to coding seemed to be "roll your own" and his framework weapon of choice was a version of CodeIgniter that was two years out of date at the time he utilized it.512px-Cardboard_Boxes_and_their_History.

One of the more egregious examples of Shayne's hand-rolled disasters was the authentication script he reused on every site he built. Because of his custom session-generation code, a user could log in to one of his websites and copy the 'session' cookie (which contained hashed user details, rather than a unique session ID) to another Shaynesite. From there, they could instantly log in to it, regardless of whether they had the authority to do so.

The authentication script, however, had nothing on the poison marsh that was Shayne's eCommerce platform. The platform was developed a few years prior and used to build up the rest of what was supposed to be the company's triumphant new version. Douglas was brought in at the 11th hour to give it a once-over before it got deployed. It didn't take long for him to find an entire mast's worth of red flags.

Within half an hour, he found five separate ways to get a free order out of the system. Simple methods involved changing the cart value to '0' in a hidden input since the back end didn't validate the cart total, and more complex methods like spoofing a 'success' callback from card processor WorldPay. Since the application only checked the order ID (which was available prior to the payment stage) but neither the server origin of the payment callback nor the shared secret; the system would be fooled into thinking that an order had been successfully paid for.

Douglas immediately brought his findings to his supervisor and informed him that under no circumstance should it be released as-is. He was convincing enough that the brakes were pressed on the release, but the resolution option his boss presented was less favorable, "I'll see if we can dig up this Shayne's phone number and try to get him back in here to fix this mess!"

The colorful, four-letter language Douglas used in reply to that suggestion probably should have been enough to get him fired. Fortunately, his boss used more colorful vocabulary daily. Douglas again swayed him to under no circumstance let Shayne in the door ever again. Wanting to make a good impression, Douglas committed his nights and weekends for the foreseeable future to cleaning up the disaster. But before he did that, he began drafting a letter of recommendation to Amazon to hire a great talent like Shayne. Because who wouldn't love to be able to get a bunch of free stuff from Amazon?

otter-icon.png [Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today! TheDailyWtf?d=yIl2AUoC8zAS5DJmdy5l10
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments