So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

Not a rant about anything in particular. Just a summary of some feelings stored in the hateful part of my heart.

Developing for Android: Add this third-party library to your Gradle build. Use (this) built-in Android class to make the thing work.

*Clicks link

Deprecated since API version SUCKMYDICK-7. Use (this) instead

*Clicks link

Deprecated since API version LICKMYBALLS-32. Use...

Developing for Windows: Please use (this) API call. It was literally already available before Bill Gates was born. Carbon dating has placed this item to older than the universe itself and it is likely the entry point for the big bang. It is also still the best way to accomplish (task).

Developing for Linux: "Hmm, I wonder how to use this"

> > > Some shitty mailing list in small blue monospace font tells you to reference a man page that is three versions behind but the only version available.

What? Those three sentences didn't explain it enough? Well, maybe you aren't cut out for this type of thing.

JavaScript: you know how it is.

SQL: You expect a decent-quality answer from stack overflow but you always get an outdated and hacky response and it's using syntax from Microsoft SQL. You need MySQL.

C#: A surprising number of Microsoft forum results ranking high on Google. You click on one in hopes that it will be of any sort of quality. You quickly close the tab and wonder why you ever even had hope.

Literally any REST API: Is it "query" or "q"? "UserID" or "user_id"? Oh, fuck, where's the docs again?

You thought you escaped JavaScript, but it was a trick!: Some bullshit library you downloaded to make your other library work redefined one of the global variables in the project you inherited. Now you get 347 "<x> is not a function" errors in your console. Good luck, asshole.

FontAwesome/ Material fonts/ Any icon font pack: You search "Close" for a close button icon. No results. You search "Simplified railroad crossing sign without the railroad". You get a close icon.

I think that's all of my pent up rage. Each of them were too small for an individual rant so I had to do this essay.

OMFG I don't even know where to start..
Probably should start with last week (as this is the first time I had to deal with this problem directly)..

Also please note that all packages, procedure/function names, tables etc have fictional names, so every similarity between this story and reality is just a coincidence!!

Here it goes..

Lat week we implemented a new feature for the customer on production, everything was working fine.. After a day or two, the customer notices the audit logs are not complete aka missing user_id or have the wrong user_id inserted.
Hm.. ok.. I check logs (disk + database).. WTF, parameters are being sent in as they should, meaning they are there, so no idea what is with the missing ids.

OK, logs look fine, but I notice user_id have some weird values (I already memorized most frequent users and their ids). So I go check what is happening in the code, as the procedures/functions are called ok.

Wow, boy was I surprised.. many many times..
In the code, we actually check for user in this apps db or in case of using SSO (which we were) in the main db schema..
The user gets returned & logged ok, but that is it. Used only for authentication. When sending stuff to the db to log, old user Id is used, meaning that ofc userid was missing or wrong.

Anyhow, I fix that crap, take care of some other audit logs, so that proper user id was sent in. Test locally, cool. Works. Update customer's test servers. Works. Cool..

I still notice something off.. even though I fixed the audit_dbtable_2, audit_dbtable_1 still doesn't show proper user ids.. This was last week. I left it as is, as I had more urgent tasks waiting for me..

Anyhow, now it came the time for this fuckup to be fixed. Ok, I think to myself I can do this with a bit more hacking, but it leaves the original database and all other apps as is, so they won't break.
I crate another pck for api alone copy the calls, add user_id as param and from that on, I call other standard functions like usual, just leave out the user_id I am now explicitly sending with every call.
Ok this might work.

I prepare package, add user_id param to the calls.. great, time to test this code and my knowledge..

I made changes for api to incude the current user id (+ log it in the disk logs + audit_dbtable_1), test it, and check db..
Disk logs fine, debugging fine (user_id has proper value) but audit_dbtable_1 still userid = 0.

WTF?! I go check the code, where I forgot to include user id.. noup, it's all there. OK, I go check the logging, maybe I fucked up some parameters on db level. Nope, user is there in the friggin description ON THE SAME FUCKING TABLE!!
Just not in the column user_id...

WTF..Ok, cig break to let me think..

I come back and check the original auditing procedure on the db.. It is usually used/called with null as the user id. OK, I have replaced those with actual user ids I sent in the procedures/functions. Recheck every call!! TWICE!! Great.. no fuckups. Let's test it again!
OFC nothing changes, value in the db is still 0. WTF?! HOW!?

So I open the auditing pck, to look the insides of that bloody procedure.. WHAT THE ACTUAL FUCK?!
Instead of logging the p_user_sth_sth that is sent to that procedure, it just inserts the variable declared in the main package..
WHAT THE ACTUAL FUCK?! Did the 'new guy' made changes to this because he couldn't figure out what is wrong?! Nope, not him. I asked the CEO if he knows anything.. Noup.. I checked all customers dbs (different customers).. ALL HAD THIS HARDOCED IN!!! FORM THE FREAKING YEAR 2016!!! O.o

Unfuckin believable.. How did this ever work?!

Looks like at the begining, someone tried to implement this, but gave up mid implementation.. Decided it is enough to log current user id into BLABLA variable on some pck..
Which might have been ok 10+ years ago, but not today, not when you use connection pooling.. FFS!!

So yeah, I found easter eggs from years ago.. Almost went crazy when trying to figure out where I fucked this up. It was such a plan, simple, straight-forward solution to auditing..

If only the original procedure was working as it should.. bloddy hell!!

When UserID is an int(3) in one table, and then text(10) in another. And then the monent you see that the Username field is stored in both tables ......🖕🖕🖕🖕

Who dafuq wrote this crap?!?!?!?

TLDR: Find a website that requires a subscription but doesn't check their cookies' integrity, now I'm on a website for free.

>be me
>wonder if it's possible to intercept browser data
>download Wireshark
>download Fiddler
>find that none of these really fit me
>go to youtube, search how to intercept POST data
>find something called BurpSuite
>Totally what I was looking for
>start testing BurpSuite on devrant
>neat!
>I can see all the data that's being passed around
>wonder if I can use it on a website where my subscription recently ended.
>try changing my details without actually inputting anything into the website's form
>send the data to the server
>refresh the page
>it worked
>NEAT!
>Huh what's this?
>A uid
>must be a userID
>increment it by 1 and change some more details
>refresh the page
>...
>didn't work 😐
>Hmmm, let's try forwarding the data to the browser after incrementing the uid
>OH SHIT
>can see the details of a different user
>except I see his details are the details I had entered previously
>begin incrementing and decrementing the uid
>IFINITE POWER
>realize that the uid is hooked up to my browsers local cookie
>can see every user's details just by changing my cookie's uid
>Wonder if it's possible to make the uid persistent without having to enter it in every time
>look up cookie manipulator
>plug-in exists
>go back to website
>examine current uid
>it's my uid
>change it to a different number
>refresh the webpage
>IT FUCKING WORKED
>MFW I realize this website doesn't check for cookie integrity
>MFW I wonder if there are other websites that are this fucking lazy!!!
>MFW they won't fix it because it would require extra work.
>MFuckingFW they tell me not to do it again in the future
>realize that since they aren't going to fix it I'll just put myself on another person's subscription.

So if you guys had a variable with an "ID" in it, would you write it like this:

"var userId;"

or like this:

"var userID;"

?
Just curious.

how my sr. dev determines which user is logged in:
$userId = $this->Cookie->read ('userId');

This evening for curiosity i executed a nmap over my android phone expecting (like everyday) all port closed.
But i see
9080/tcp open glrpc
Wtf??
Let me check something....
--adb shell
$cat /etc/net/tcp

And the first line provied me the UID of the app that was running on 9080 port (2378 in hex)
So let me check which app is that
$dumpsys package | grep -A1 "userId=*UID*"

And the answer is com.netflix.mediaclient

Wtf??
Why netflix is running a http server on 9080/tcp on and android phone??

So here I am investigating something our users are claiming. I look up which user the UserId did the change and I see not only the user but also the users password in clear text in a separate field. I thought that field was for a password hint that the user can set up, but I asked around and apparently, no... It's literally the plain text version of the password stored in the database, next to the hash of the password.
Apparently, the users were so impossible to deal with that we added that column and for users that constantly pester us about not knowing their password and not wanting to change it, we added a plaintext password field for them :D

any fucker who has written code for the indian ewaybill portal needs to be fucking assassinated. couldn't even get a simple aspx login page to work. motherfuckers.
They just display a message that if we are having troubles we should try clearing our cache.
Like for fucks sake build it properly. This is the main source of income for this fucking nation, probably.
- the password reset doesn't work.
- the userid reset doesn't work.
- sometimes i show up as not registered. i just fucking transacted yesterday you buffoons.
- there is an error alert, that says "error". i god fucking know there is an error. please fucking tell how may we please your ass to bypass those fucking errors 😭.

fuck every developer that works for that portal 😤. Good for nothings.

thanks for creating devrant, dfox and trogus. feels better now 😌.

Another case of "couldn't you've told me BEFORE I started working on this?"

I'm making a training in Unity3D for a client, and they want it to integrate with their learning management system (LMS).
I made a simple SCORM package that gets the userID and then uses a custom URL scheme to launch the app with the user data from the LMS.

Tested on multiple platforms, all works perfectly fine.

Than, during a meeting, some says they "can't download it". I ask "which browser are you using?" and he says "I'm using the LMS app."
... the LMS has an APP?

So I start figuring out ways to launch the system default browser from within a app's embedded browser, and nothing so far has worked.
target=_system, nope.
all kinds of weird javascript shenanigans, but the LMS APP browser just blocks everything.
Probably to protect students from malicious software that could be injected in courses, but now I'm stuck trying to find a workaround for this too.

But what sucks the most is that this happened DAYS BEFORE THE DEADLINE!
Well, at least the deadline won't be my problem anymore soon.

The more I surrond stuff in try{...} statements, and handle with geeky error messages that should actually never happen (e.g. "TransactionId 73545 not find for UserId 10. Look for Interaction 212345 at the logs."), the more I think our Customer Support area will someday need a Customer Support Support area.

Microservices

Lets take an example: Products service & orders service.

When I want to save an order for a user, data saved as
1. UserId, ProductId, Quantity, Date

Or
2. UserId, Name, Email, ProductId, ProductName, Quantity, Date

I'm a bit confused here because if I'm going to fetch that purchase, in example 1, it will return IDs requiring another trip to server to get user & product info

In example two it takes only one trip BUT if any changes is made to either user info or product info it means I'm returning wrong info to the user.

What do we do in this scenario? Excuse my questions first time applying Microservices and been using monolith all my life

Spring JPA might be annoying sometimes...

public MyResult findFirstByIdentities_CompanyIdAndIdentities_UserIdAndFromDateAndToDateAndFormatAndIdentities_SourceAndStatusInAndCreatedOnAfterOrderByCreatedOnDesc(String companyId, String userId, Date fromDate, Date toDate, String format, String source, Collection<String> status, Date createdOn) {...}

I know I know, efficiency is weeping in a dark corner. Will deal with it later

I'm looking into GraphQL and so far so good, but I am finding it hard to implement business rules, for example:

1. Receive request with auth token
2. Know who the user is by extractin userId from token
3. fetch data related to that user only.

I was only able to make it allow or deny if there is a token or not lol

Hello, can someone help me with this one ? I guess that the fucking SO elitist community would have beaten me to death if I asked this question.

I'm trying to create a relational table between a Tutorial object and a User object (to know which tutorial the user has access to) using Sequelize, and I figure out that I have two PRIMARY keys in my table. How is it possible ? UserID is also marked as Index.
The both keys are not Unique in themselves but their combinations are unique.

Growing list of asks to a team member that are unheeded:
1) Check in your code frequently
2) Stop the completion emails for your program
3) Stop using your personal UserID/Password to send said email
4) Create classes that do one thing
5) Reuse your database connections
6) Use DataTables and write to the database once and not a bunch of variables and write at the end of your crazy loop-if-else structures.

Question about cache (Redis or other distribuated cache).
So I would like to find a solution with “Partioning”. But without code it my self (ofc)
Ok, example :
In the application you have clients, each client has users, each user has role.
So right now it’s in the cache with the keu “User:<userId>” = role
Sometimes, when you change client settings, all entries should be removed.
So what I would love to have :
Client_Id/UsersRoles/UserId as a key
And I would love to be able tp delete “all keys after /” :
Basiclly delete client_id/ would delete everything in cache for this client
Delete client_id/UserRoles will clean up all saved roles.
I’m pretty new working with redis, but it doesn’t seem possible out of the box.
Any reading material I could read ?