Yellow Laserglow Laser - $1.00

[iewed]

That is pretty ridiculous.  You would think Laserglow would hire some competent website programmers.  It really makes me question the security of the information provided to them.

Justin said that if the situation became severe enough that they would start sending invoices out to the customers. It's not just LaserGlow's checkout system though, there's an add-on for Firefox (Don't remember the name) that can edit javascript values, which in turn can let you manipulate the cart and pricing (As seen in this thread). It's by no means a security breach, your just editing some numbers on a page, you send those numbers to LaserGlow, if the numbers don't add then your order is denied & refunded.

 

[Justin]

This has nothing to do with the competency of our programming or the security of our site. Passing values in URLs is a standard way of submitting nonsecured informaiton to websites. Look in your address bar right now, you will see somehting like ...YaBB.pl?action=post...etc. This is your browser submitting an unsecured variable so the page knows what to show you. When you enter a secured section of the site you will see that the address shows "https://" and the informaiton is transmitted using a different method, NOT URL variables.

This link exists so that we can easily add an item to a customer's cart at a specified price. Exploiting this link is the same as switching price tags in a store, and if it becomes a problem we will deal with it by withholding the transaction fees (it costs us to take an order and again to refund it) when we cancel the charge.

I personally check every order and this will not work, so don't waste my time or yours.

 

[Cerium]

While it does have nothing to do with the security of the site it seems as if the current system would be less efficient than it could be.

If the system used id numbers (with a table ID-Price) there could be no price manipulation and removing, adding, and changing products would be simpler.

Anyway I don't know why everyone got so serious. This thread seems to me to be a joke pointed at the pointlessness of the idea "Black Friday".

 

[nikokapo]

http://ww7.aitsafe.com/cf/add.cfm?u...Free+Chuck+Norris+Gift+Card&price=.00&units=1

 

[Bionic-Badger]

Justin, I'm just saying that when I see that something like this is allowed, it reflects poorly on the site that allows it. It's like going to a store and seeing that people are allowed to freely change the values of the price tags for their own amusement. Sure, the price can be "corrected" at the checkout, but why even allow it to get to that point? I can only imagine the headache of some clown posting a "great deal on lasers" to a deal-website at a believable discount, causing a great level of disappointment when the "deal" they thought they could receive was actually bogus, wasting everyone's time and hurting your credibility.

In terms of passing variable arguments to the script itself: the defining difference between the use of a GET (URL-encoded variables) and POST request, is that GET should only be used to request and retrieve data, not manipulate it, whereas the POST request is for sending user-defined data. Allowing URL-passed variables to directly manipulate what should be admin-controlled content of the website--in this case, product descriptions and prices--is a very poor practice. Such data should reside on the server itself and the user should only be able to request (GET) the information. This YaBB messageboard certainly follows that same practice: only allowing pages to be requested via URL-encoded variables, while any input to the script is done via a POST request.

Finally, if you have to check each and every order because your cart is flawed, that is another unnecessary layer of inefficiency for your company, which again reflects poorly upon you.

 

[mrdunn13@yahoo.com]

no way

 

[Jimmymcjimthejim]

no way

Can you fit more than 5 words into any of your posts?
And just so you know, because you probably didn't read this thread, that you can't get this laser for $1.

 

[spyrorocks]

Just because you automatically make a site use POST, does not make it secure.

Never trust input from the user, period.

 

[pseudolobster]

GET method or POST method is irrelevant, it's just that using GET looks really incredibly sloppy and amateurish... The real point here is that the site should only be taking product ID's or SKUs then generating the description and price from a database on the server, not provided by the customer's web browser... If someone were to place an order with multiple items and say, only change one digit in one price, you could conceivably miss it... The way the site is coded is backwards and silly and shows that whoever wrote it didn't know a lot about what they were doing.

Again, it's not some huge security flaw, it's just a back asswards way to code a site these days. These things should be calculated by software on your end, not manually reviewed by humans. The guts of the site should never be visible to customers.

 

[SenKat_Stonetek]

Good lord !  I thought that all the little HAXOR KIDZ would be tired of burning their retinas by now, and would have left this site.  I gather I was mistaken.  What a shame.  I BAN people that mouth off, or try stupid crap from my store.  I don't need their business, nor their drama.  Unlike some stores, or businesses, my storefront has remained a HOBBY for me, so I can afford that type of attitude.

Justin - good on you to check every order - posts/threads like this, whether made in jest or not really show the level of depravity that exists around the world - I could go on and on (not that anyone would answer in any way, other than a pitiful attempt at a slam) but won't - the bottom line to all that may be reading this thread is thus : Be honest in your dealings with business people, or accept the consequences of your actions, period.  People that modify code on websites to their advantage, are the same type of people that would cross the street rather than assist someone in need of their help.  Folks like that, are the same people that snag cash from collection plates in churches, or withdraw from the salvation army kettle outside of shopping centers at Christmas time - you sicken me.
Now - this last part is addressed to any and all that cannot comprehend this post - stop being stupid, and leave honest people alone with your dirty little tricks - it really won't help you out in the long run.  In short, GROW UP.

Oh, by the way - I'm back, and will enjoy the written jousting from the moronic masses, as before - thanks for the laugh at YOUR expense, idiocy amuses me greatly.

**Definition of HAXOR KIDZ : imbecilic little morons that attempt to be clever, generally with single digit IQ's

As a TINY little side note, this post is not directed at anyone in particular, nor is it meant as a "slam" to those that are posting actual solutions to the very real problem of theives playing their little games.  Enjoy the post, no further disclaimers from me will be posted on this forum.  

/Greg

 

[FrothyChimp]

Welcome back Greg!

 

[simplysped]

Good lord !  I thought that all the little HAXOR KIDZ would be tired of burning their retinas by now, and would have left this site.  I gather I was mistaken.  What a shame.  I BAN people that mouth off, or try stupid crap from my store.  I don't need their business, nor their drama.  Unlike some stores, or businesses, my storefront has remained a HOBBY for me, so I can afford that type of attitude.

Justin - good on you to check every order - posts/threads like this, whether made in jest or not really show the level of depravity that exists around the world - I could go on and on (not that anyone would answer in any way, other than a pitiful attempt at a slam) but won't - the bottom line to all that may be reading this thread is thus : Be honest in your dealings with business people, or accept the consequences of your actions, period.  People that modify code on websites to their advantage, are the same type of people that would cross the street rather than assist someone in need of their help.  Folks like that, are the same people that snag cash from collection plates in churches, or withdraw from the salvation army kettle outside of shopping centers at Christmas time - you sicken me.
Now - this last part is addressed to any and all that cannot comprehend this post - stop being stupid, and leave honest people alone with your dirty little tricks - it really won't help you out in the long run.  In short, GROW UP.

Oh, by the way - I'm back, and will enjoy the written jousting from the moronic masses, as before - thanks for the laugh at YOUR expense, idiocy amuses me greatly.

**Definition of HAXOR KIDZ : imbecilic little morons that attempt to be clever, generally with single digit IQ's

As a TINY little side note, this post is not directed at anyone in particular, nor is it meant as a "slam" to those that are posting actual solutions to the very real problem of theives playing their little games.  Enjoy the post, no further disclaimers from me will be posted on this forum.  

/Greg

There are plenty of open source and readily available checkout systems. To have something as simple and easy to manipulate via the URL bar isn't leaving things open to "HAXOR KIDZ", but anyone who knows how to read their URL bar. If you have something that simple setup, then obviously you are going to at least go over the invoices of each order because you are bound to get a lot of modified orders.

By the way, if his checkout system is so sloppy, then how do we know are billing information is safe? I mean, wouldn't that be a valid point?

I think instead of coming on here, and putting up the middle finger to the nerds poking fun of a sloppy checkout system, you could offer actual suggestions on how he can secure his site (since you are a webmaster yourself). You don't see amazon/wickedlasers/DX/any modern storefront having issues like this, it's because instead of leaving exploits on the table and blaming the people who try to scam/game the system, they work to fix these exploits. And believe me, adding a more secure checkout system is not that big of an issue.

I don't think your "posts/threads like this --- show the level of depravity that exists around the world" post is relevant here. I think it's pretty clear that nobody here is trying to scam anybody.

 

[hevnsnt]

Although I agree with your intent, I completely disagree with your delivery.  Yes, it is good that orders are reviewed before shipping, and it does NOT reflect bad business practice to do so.  However, as a PROFESSIONAL SECURITY ENGINEER, I cannot recommend that you attack the people abusing the site for the problem.  The problem is with the site, and it should be fixed once the web owner became aware of the problem.  

There are plenty of Opensource and FREE store software (osCommerce, etc) that have been security tested and patched. (and continue to be)

Justin, what were to happen if I say order something for (-199.00) or whatever.  Your processing system *MIGHT* just credit my card for $199 before you even notice.  And then there is always the possibility that you miss the negative and ship the item anyway.  WHOOPS!

Calling people "HAXOR KIDS" when they are providing valuable data on the vulnerabilities of your site, is a mistake Stonetek -- I know there is often pride involved, but the notification should be handled with a "thanks for letting me know" rather than insults.  Next time they might do something a lot more destructive without any notice.

BTW: I am a hacker.  



****EDIT: Sorry simplysped2, I responded before I read your post.

Good lord !  I thought that all the little HAXOR KIDZ would be tired of burning their retinas by now, and would have left this site.  I gather I was mistaken.  What a shame.  I BAN people that mouth off, or try stupid crap from my store.  I don't need their business, nor their drama.  Unlike some stores, or businesses, my storefront has remained a HOBBY for me, so I can afford that type of attitude.

Justin - good on you to check every order - posts/threads like this, whether made in jest or not really show the level of depravity that exists around the world - I could go on and on (not that anyone would answer in any way, other than a pitiful attempt at a slam) but won't - the bottom line to all that may be reading this thread is thus : Be honest in your dealings with business people, or accept the consequences of your actions, period.  People that modify code on websites to their advantage, are the same type of people that would cross the street rather than assist someone in need of their help.  Folks like that, are the same people that snag cash from collection plates in churches, or withdraw from the salvation army kettle outside of shopping centers at Christmas time - you sicken me.
Now - this last part is addressed to any and all that cannot comprehend this post - stop being stupid, and leave honest people alone with your dirty little tricks - it really won't help you out in the long run.  In short, GROW UP.

Oh, by the way - I'm back, and will enjoy the written jousting from the moronic masses, as before - thanks for the laugh at YOUR expense, idiocy amuses me greatly.

**Definition of HAXOR KIDZ : imbecilic little morons that attempt to be clever, generally with single digit IQ's

As a TINY little side note, this post is not directed at anyone in particular, nor is it meant as a "slam" to those that are posting actual solutions to the very real problem of theives playing their little games.  Enjoy the post, no further disclaimers from me will be posted on this forum.  

/Greg

 

[Razako]

Epic thread in the making ;D

 

[Hemlock_Mike]

Great -- I'm so glad we have a hacker here. I presume it's not caused by cigarettes.
Another example of why soceity in general is in the dumps.

Mike

 

[JLSE]

And hacking laser emmiting devices is any different? We do it to save money yes, but curiosity will grab anyone, just depends what you are into that suits what you will hack



;D http://www.instructables.com/id/Hack-a-Toilet-for-free-water./ ;D