I may just have witnessed the biggest WTF in my career...
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
Sander Rossel wrote:
I can tell you one thing, these people aren't pro's
Are they getting paid?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
-
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
Yeah, this is them thinking "obscurity and complexity" equals "security". The problem is they are dependent on their customers to "roll their own" implementation of the client-side code, then depending on the customer to keep that code and keys secured themselves. Absolute garbage.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave Kreskowiak -
I just got a call "can you help me set up this API?" "Sure, what do you need?" "I got an example application in VB.NET and now I want to mimic the call in Postman, it simply gets the customer by an ID." "Ok, sounds simple enough." So I open up this VB code expecting to find some HttpClient with a GET and probably some authentication method. Now, I've seen some horrors (a 41,000+ tables database, or anything with Crystal Reports, anyone?), but nothing could've prepared me for what I was about to witness... What I found was that this API is not running on HTTPS and instead this company requires their customers to implement their own encryption exactly the way they want it :wtf: :omg: :~ X| Steps to connect: We take our API key and create an MD5 hash. Then we take the first 16 characters of our API secret and use it together with the hash in some SHA256 algorithm. We need a JSON like { "id": "1234" } (this is the ID of the customer we want to get) and then encrypt it using a Rijndael object and the SHA256 algorithm (I don't do this daily, can't tell you the specifics). Take the resulting encrypted key and convert it to base64. Then trim the ='s at the end and replace slashes and hyphens with underscores and some other character. Now put our deformed base64 encrypted body in a form field named "data". Include the key in the URL like so "http://baseaddress.com/getCustomer/apikey=\[key\]". Do a POST. Call an unsecure HTTP endpoint. On the plus side, they provided a 100+ page document with examples in .NET and PHP on how to call something that should've been a standard REST API (I even think they're calling it that). The company that created this abomination is named PRO[something]. I can tell you one thing, these people aren't pro's (in fact, I'd go as far to say these people aren't even developers (or at least not worthy of the title)) :wtf:
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
Yeah, this is them thinking "obscurity and complexity" equals "security". The problem is they are dependent on their customers to "roll their own" implementation of the client-side code, then depending on the customer to keep that code and keys secured themselves. Absolute garbage.
Asking questions is a skill CodeProject Forum Guidelines Google: C# How to debug code Seriously, go read these articles.
Dave KreskowiakDave Kreskowiak wrote:
Yeah, this is them thinking "obscurity and complexity" equals "security".
I wonder if they thought about it at all X| If they really wanted security, why not do this and use HTTPS? It's not even that obscure because it's right there in their docs. These people may actually think this is good practice :~
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
Sander Rossel wrote:
I can tell you one thing, these people aren't pro's
Are they getting paid?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
I guess so, which makes them professionals, but I'd argue professional bunglers or even scammers, because no way in hell someone who is worth his salt would write this giant turd of an API X|
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
Maybe an attempt at security without having any knowledge whatsoever and Googling "[language of your choice] cryptography". I think if they really wanted it to be safe they'd use this and HTTPS, but the fact that it's running on HTTP tells me they have not a single clue... Everything is right there in their docs, so it's not really obscure. I'd bet these people actually believe they're following best practices X|
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
