Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Electronic Pricetag Alteration

by jcwren (Prior)
on Mar 07, 2001 at 04:03 UTC ( #62623=perlmeditation: print w/ replies, xml ) Need Help??

This story about Electronic Pricetag Alteration (linked to from <A HREF="http://www.slashdot.org"SlashDot) I consider relavent to what a lot of us do, or have done.

Lets take a look at the basic flaw in this whole scheme, which is considering data submitted in a form to be secure. Why would these morons use information like that in the form? If the pricing is in the database, why are they relying on pricing data in the form, in the first place?

Now, I'm no mondo-web designer (if you've seen the stats pages, you'll surely agree), and I'm sure not qualifed to write a full blown shopping cart application like Amazon, etc uses. But I am sure as hell smart to recognize right off the bat that you don't give users that kind of opportunity. What's wrong with a SKU number? If you have special pricing offers, and you need to write the price to the web page for the user to see, you know you have a special price, and the SKU (however short lived it may be for that offer) contains the price. This means if someone jacks around the SKU, they're getting a different product, and they're still going to pay whatever the jacked SKU costs.

I know there are a lot of people who shouldn't be writing software out there (heck, some people probably think I fall into that category!). I'm no mega-cracker or system jacker, but even I knew you didn't want to do this before I knew anything about web programming. So, who are these people that write these fancy apps, that aren't smart enough to know something that basic? This seems like a real dichotomy, that they're smart enough to write a moderately sophisticated shopping app, but not smart enough to isolate tamperable data from the user.

So, if you're one of these people writing applications that involve people paying for things, you might want to take this into consideration. Or, if your co-workers/boss tell you that it's perfectly safe, make sure that it's not your paycheck that they'll be taking the price difference of a $1900 laptop that someone jacked to $1.90...

Real world evil, people, real world evil. It's not just a theory, it happens quite a bit.

--Chris

e-mail jcwren

Comment on Electronic Pricetag Alteration
Re: Electronic Pricetag Alteration
by Desdinova (Friar) on Mar 07, 2001 at 04:15 UTC
    The really sad part is is this not some new thing. I mean this exact trick is on pg 201 of O'reilly's 'Cgi Programming with Perl'. At very least the security chapter of that book should be required reading before people even look at cgi-code.
Re: Electronic Pricetag Alteration
by vroom (Pope) on Mar 07, 2001 at 04:22 UTC
    You can always pass the parameters and just not use the item id instead. I prefer something along these lines:
    my $passedprice=$query->param('price'); charge_credit_card($realprice+abs($realprice-$passedprice));

    Seriously though these are important things to worry about when money or xp are involved.

    vroom | Tim Vroom | vroom@cs.hope.edu

      I'll just note that voting on something you already voted on takes a vote away from you but doesn't affect the node.

              - tye (but my friends call me "Tye")
Re: Electronic Pricetag Alteration
by Trimbach (Curate) on Mar 07, 2001 at 04:32 UTC
    I actually ran across a similar problem while doing some Perl/CGI freelancing. The client hired me to add some functionality to an existing shopping cart CGI that he had already paid for. I don't know who wrote the shopping cart but although it was (on the surface) perfectly functional and suited the client's needs, it was really, really ugly on the backend. (No CGI.pm, hand-rolled templating functions a la HTML::Template, you get the idea.) Although prices for items were stored in a db (a 5,000 row flat-file, natch) the shopping cart deliberately accepted price changes from the HTML form to allow for things like discounts for re-sellers and premier customers and such.

    I thought this was amazingly dumb, but it made some of the things I was contracted to do easier (adding "bonus items" from the db for free, for example.) Fixing the security problems would have involved a fairly major re-write of the whole shopping cart (although trust me, adding "use CGI;" would've saved a hell of alot coding) and it was near Christmas and the client didn't have the time for the re-write/re-test cycle for a cart that, like I said, already worked.

    So I did what I was hired to do, got paid, and the client was happy. The original program was just so bad there really wasn't anything else to do give the time and money at issue. It felt very wrong, though... we spend so much time making sure that our code is as secure as we can manage that deliberately leaving security holes is, literally, a sin.

    But perhaps the bigger sinners are those that write this crap to begin with. My clients were small businessmen, not coders. When they hire someone to do a job they don't have the means to do a third-party review of the code they just bought; they're just taking the programmer's word that what they bought is secure. The client (in my case) got ripped off by the original coders long before they almost certainly got ripped off by people taking advantage of the security hole.

    sigh

    Gary Blackburn
    Trained Killer

Re: Electronic Pricetag Alteration
by LD2 (Curate) on Mar 07, 2001 at 07:07 UTC
    I'm not sure if it's due to lack of QA on their(company's) part or lack of common sense during development(software, database, and security design) or maybe it's due to all of the above. The sad thing is that these companies are not taking into consideration the evils of this world. C'mon, there are too many users out there who would love to hack a site and create some havoc or just hack the site to be able to purchase the item at a much lower cost. Technology is evolving and with that, programmers are becoming more sophisticated... unfortunately some of them are being devious with their abilities. People cannot survive thinking that no one will take advantage of them - because they will. If they could assume the worst and program for that, they may be somewhat safe. But, in reality I think it'd be highly difficult to guard against every single security hole.

    You're right jcwren, real world evil is out there..
Re: Electronic Pricetag Alteration
by gopher (Monk) on Mar 07, 2001 at 08:05 UTC

    Programmers who write code that is faulty and know its faulty shouldn't be programming. they should strive to make a good program, and if they dont know enough about security to cover a large amount of bugs, they shouldnt be writing programs where security is needed. they should take enough pride in their code to do a good job, regardless of any impending deadlines. good code is good code, and thats what we need.

    "Mr. Zoothornrollo, hit that long lunar note, and let it float."

(redmist) Re: Electronic Pricetag Alteration
by redmist (Deacon) on Mar 07, 2001 at 08:52 UTC

    When I used to be a hoodlum, me and my "buddies" would need paint for our vandalism-related acts. We would go to Home Depot, and non-chalantly change the bar code stickers from, say, a brush, to a 5 gallon bucket of paint. We would also take advantage of special deals that were indicated by colored stickers or marks on products by bringing in a sharpie and making a mark on a given product. I guess it's a meme, not strictly a computer issue.

    redmist
    Silicon Cowboy
Re: Electronic Pricetag Alteration
by footpad (Monsignor) on Mar 07, 2001 at 09:08 UTC
    Why would these morons use information like that in the form?

    Put very simply, because they don't know any better. Take a quick look at what a simple query on google turns up or a slightly different one.

    Many of the highest hits are places that aren't well respected in these parts or involve people with similar local reputations. I'm not saying they're bad people (I'm sure they love their SO's/kids/cats/dogs/what-have-you), but that they've managed to gain a bit of celebrity by posting bad code.

    Look at the books on the subject. MW has a cookbook containing a shopping cart that doesn't taint. This isn't a problem with good books (like O'Reilly's, Damian Conway's, and so on), but how well received are those outside of the Unix/Hacker/Good Programmer mindset? This particular problem is endemic to the cut-rate publishers willing to teach you nothing in 24 hours, days, or whatever (save perhaps that few experiences cannot be learned from a book. Experiences like, "I just wasted my money on this crap?")

    I mean absolutely no offense to those who busted their tails writing the best books they knew how. Hell, I'm still trying to learn enough to understand the best ones (Wolf and Panther come to mind) myself. But, the simple fact of the matter is that the best ones require a bit more knowledge, tenacity and/or grit than the harried corporate peon can afford.

    This is a crying shame. Surely there's a good writer in the PM community that remember what it's like to learn a new paradigm? Certainly there's someone with the patience to figure out how to explain to the average VB user why it's a bad idea to store any real data in the form? Granted, the Rat book specifically discusses this, but it's the only book I've read to date that provides a very clear example of the process and the hack itself. (Well, okay, KM's recent title has touched on it briefly in the parts I've finished.)

    Surely, someone is willing to acknowledge that in spite of its technical weaknesses when compared to other operating systems, the majority of corporate programmers (interprete that term as loosely as you must) are running Windows desktops? (I'm not trying to ignite an OS war; I'm just looking at the market at large.) If you can co-opt these folks, you'll reinvigorate the industry.

    What I really find surprising is that we're so surprised that big name e-commerce sites get ripped by really stupid design decisions. Think about it, what is your opinion of the average corporate CGI "scriptor" or the average "enterprise" web development committee? How many times have you seen projects of this nature get dropped into the laps of the completely clueless and/or unqualified. (/me raises his hand.)

    It's either "Oh, get the graphics artists on Corporate Communications on it; they'll figure it out." _Or_ "Well, the project has been in the works for two years now and we need to get it finished. The original developer left; you know CGI, right?"

    I'm not trying to say these folks are stupid...I am trying to say that they use the tools at their disposal, mainly the search engines. Boom, they find a free script, see instructions on how to install it, it works and boom...they're ready to separate the online masses from their shekels. (</sarcasm>, just in case you weren't reading carefully.)

    We know better, of course. They've dropped shields, reduced impulse, continue to broadcast "please board us" across all subspace frequencies.

    Again, not because they're stupid, but because they don't know any better. "They'll learn," we say. Yes, sure. But at what cost?

    Furthermore, what if we could have prevented it?

    This, quite frankly, is why I continue to argue for patience and courtesy for initiates and newbies alike, for we cannot accurately predict the trolls from the truely innocent until we have more data points than a single post or two. Certain ones are obvious, of course, but I believe there's a risk we'll cross the line.

    If we, who know better, aren't willing to teach these folks how to protect their sites, jobs, and wallets from the depredations of real world evil, someone else will...at their expense.

    "It's just life," we say, wondering at in amazement at the cluelessness we see. To which I say again: "What if we could have prevented it?" What if it was your best buddy from school or your parent/guardian/favorite adult? What if it was your spouse/SO/closest friend in the world?

    I believe that knowledge brings responsibility. If you're going to help, then you must be willing to actively and patiently combat the anti-information that's in the channel.

    Here's a challenge for some wise CGI/Perl master: Write a series of basic, freely available scripts to rival and shame the top sites in those queries I mentioned. Do the job well enough to knock MSA out of the top spot on the search engines. Show how shamefully and poorly his "solutions" are written.

    As a bonus, here's a profit motive: GPL the source and sell support and customization. Do it right and I think you'll make far more than M$FT in their heyday.

    Perhaps I'll be able to do that myself...in a few years, when I feel I can actually call myself a Perl adept. In the mean time, there's a wide open market for those of you who already know what you're doing. Change only happens when real people take action.

    --f

(crazyinsomniac) Re: Electronic Pricetag Alteration
by crazyinsomniac (Prior) on Mar 07, 2001 at 12:37 UTC
    What the fukc hell!?!?
    What kind of retarded insane freak with the gall to call themself a programmer would do something so idiotic?
     

    Plese excuse that outburst but i'm going to get myself a $1.60 laptop.(What the fukc hell!?!?)

    Ok, ok ok, i'm sorry, i just can't beleive that degree of stupidity. Can the programmer be sued?

    I recently wrote that type of app(javascript 'n' html and such- Mickey Mouse stuff;-) for a class(no cgi backend, next class) and i had price embedded in the html and stuff, but it was only there so I wouldn't need to query the database for a pricecheck of a windowshopper.

    Before the customer actually made a purchase(clicked yes), i would validate all the prices from the database. The only item passed to the server would be the id or isbn or whatever you're selling(or however you're naming your products).

    instant update: Can the guy cheating the idiots be sued?(Alls hes doing is saying, "hey this cost $2")

     
    ___crazyinsomniac_______________________________________
    Disclaimer: Don't blame. It came from inside the void

    perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

      I have no doubt that the vendor's high priced lawyers (without whom the laptop would cost a lot less than $1600 but that's another rant) would argue that you are CHEATING (bad, bad you!). However, I wonder (not being a lawyer myself) whether editing the page and submitting it back would constitute a counter-offer (no, I won't pay $1600 for that fetid heap of prehistoric puke, how about $1.60?), which the vendor's server can either accept or reject. If it accepts the offer, what is wrong? Is the server not acting as a legal agent of the vendor? If not, what business does it have selling anything at any price?

      If you ask me, vendors (or anyone) who lose out because they were too cheap or stupid to do things right are simply getting what they asked for.

      --
      I'd like to be able to assign to an luser

Re: Electronic Pricetag Alteration
by toadi (Chaplain) on Mar 07, 2001 at 14:03 UTC
    Well my opinion in all this is simple:

    You have programmers who are totally on top of it. they look for the best way to do things. On design, security and programmation. Think most higher level monks on PM are like this.

    Then you've got the programmers who know just enough to get the job done. Got good and lesser good ones. But they aren't looking to strife for better app's they just want to get the job done.

    Then you got the nitwits who just got enough basic knowledge to do the simplest things.(got one here) Reason why they get to write these app's? Shortage on the market for good programmers.

    As long there's a shortage on the market you will see a lot of these nitwits...


    --My opinions may have changed,
    but not the fact that I am right

(Ovid) Re: Electronic Pricetag Alteration
by Ovid (Cardinal) on Mar 07, 2001 at 19:12 UTC
    From the Yahoo! story:
    Overall, fraud is estimated to occur in 11 percent of all online transactions, said Paul Fichtman, president and CEO of the Internet Fraud Council.
    That's a lot of fraud. It's sad that this still happens. I referred to this in Lesson 3 of my CGI course when I mentioned going to Altavista and typing in type=hidden name=price as the query parameter. Once you see how common it is, you'll be dismayed. It's been around for a long time. Sigh.

    Incidentally, for those who are wondering why I haven't updated the course in a while, I'm stuck in Amsterdam for a bit and not using Perl. I hope to be able to return to Perl (and the course) in about two months or so.

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Re: Electronic Pricetag Alteration
by Albannach (Prior) on Mar 07, 2001 at 20:00 UTC
    I am duty-bound to repeat my strong recommendation for the Risks Digest! I want everyone here to go to the archive, pick one issue at random (they're all equally relevant to today) and read it through. You will be wiser.

    In that digest I have been reading the work of some of the greatest security experts of the information age as they discuss and warn us on the the issues of quality in software and systems design for well over 10 years now (the first issue was in 1985). The older I get, the more it seems that absolutely friggin' everything that can go wrong was known beforehand and a workaround was available!

    Sure people are stupid and make mistakes, but it is the structure of the whole project (in the case of a systems design for instance) that allows such mistakes to slip though and get into production, after which point it is in everyones' best interest to proclaim that it couldn't have been forseen, lest they end up taking some responsibility. That's it responsibility, the single most threatening thing in the modern world, a force so overwhelming that it threatens to drive civilization right into the ground as everyone flees its grasp.

    Either mistakes like this price-changing loophole literally don't matter (which indicates something else very wrong with the way things work) or people had better start paying more attention before something really bad happens. Demand quality of your work and that of those around you!

    Geez, I'm starting to sound like crazyinsomniac, I'd better quit here.

    crazypedant!

    --
    I'd like to be able to assign to an luser

Re: Electronic Pricetag Alteration
by scottstef (Curate) on Mar 08, 2001 at 01:34 UTC
    I blame the programmers for this, but I also blame the sysadmins for this mistake. Before we let any of our developers put anything on our boxes, we have code walks to examine and try to break the script. I personally believe I have worked with some future Darwin Award winners in qa departments I have worked with, but they have made sure our code worked. (They also managed to break code in ways I still can't fathom) It appears to me that the sysadmins are at fault for letting that kind of code to sit on their servers.

    just my $.02

      QA isn't sysadmins. Sysadmins aren't QA. Sysadmins aren't all programmers. Sysadmins have other stuff to be doing. Back off on the blame parade.

      (Not to mention, we're probably talking Windows here for a significant portion of this stupidity, and Windows admins are even less likely to be programmers, in my small experience. Not to mention, we're probably also talking about groups which don't have the time/resources to do serious QA. Not to mention, even if the sysadmin can program (most likely perl), the programmers might not write in the same language (here, they do tcl).)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://62623]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (14)
As of 2014-09-18 19:29 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (121 votes), past polls