!Story

The day I became the 400 pound Chinese hacker 4chan.

I built this front-end solution for a client (but behind a back end login), and we get on the line with some fancy European team who will handle penetration testing for the client as we are nearing dev completion.

They seem... pretty confident in themselves, and pretty disrespectful to the LAMP environment, and make the client worry even though it's behind a login the project is still vulnerable. No idea why the client hired an uppity .NET house to test a LAMP app. I don't even bother asking these questions anymore...

And worse, they insist we allow them to scrape for vulnerabilities BEHIND the server side login. As though a user was already compromised.

So, I know I want to fuck with them. and I sit around and smoke some weed and just let this issue marinate around in my crazy ass brain for a bit. Trying to think of a way I can obfuscate all this localStorage and what it's doing... And then, inspiration strikes.

I know this library for compressing JSON. I only use it when localStorage space gets tight, and this project was only storing a few k to localStorage... so compression was unnecessary, but what the hell. Problem: it would be obvious from exposed source that it was being called.

After a little more thought, I decide to override the addslashes and stripslashes functions and to do the compression/decompression from within those overrides.

I then minify the whole thing and stash it in the minified jquery file.

So, what LOOKS from exposed client side code to be a simple addslashes ends up compressing the JSON before putting it in localStorage. And what LOOKS like a stripslashes decompresses.

Now, the compression does some bit math that frankly is over my head, but the practical result is if you output the data compressed, it looks like mandarin and random characters. As a result, everything that can be seen in dev tools looks like the image.

So we GIVE the penetration team login credentials... they log in and start trying to crack it.

I sit and wait. Grinning as fuck.

Not even an hour goes by and they call an emergency meeting. I can barely contain laughter.

We get my PM and me and then several guys from their team on the line. They share screen and show the dev tools.

"We think you may have been compromised by a Chinese hacker!"

I mute and then die my ass off. Holy shit this is maybe the best thing I've ever done.

My PM, who has seen me use the JSON compression technique before and knows exactly whats up starts telling them about it so they don't freak out. And finally I unmute and manage a, "Guys... I'm standing right here." between gasped laughter.

If only it was more common to use video in these calls because I WISH I could have seen their faces.

Anyway, they calmed their attitude down, we told them how to decompress the localStorage, and then they still didn't find jack shit because i'm a fucking badass and even after we gave them keys to the login and gave them keys to my secret localStorage it only led to AWS Cognito protected async calls.

Anyway, that's the story of how I became a "Chinese hacker" and made a room full of penetration testers look like morons with a (reasonably) simple JS trick.

Hey, senior developers, is there a reason for this?
I just can't believe it.
The line that makes me wanna kill is the
$("#" + id).val(val);

Taken from a very profesional site.

I fucking told them that yes, i can do frontend but im in no way expert, so dont expect much.

"Yeah, cool, use angular"

I was full of questions and tried to reason with them that angular is literally just an unnecessary load and would slow the development down (its a really simple site).

"No, use angular"

Ok fine whatever. So i built the site, it was ugly as fuck, half the functionality was hacked in with jquery because i have no idea how these fucked up frameworks work (or apparently dont work) when i realized that i get jackshit from the backend.

Turns out most of the json responses were totally disregarding the json standard, like {1: tag0},{2: tag1}, where a json arrat should have been used. The other half was xml. Yeah. Also of course they used spring so the backend took like 3 months where it could have been done in like 2 weeks.

One poor pepega like me will spend days optimizing a web app, reducing the bundle size, reusing components as much as possible to save space, carefully choosing the right libraries for the right jobs and doing some careful tayloring to bring them in line with your needs, choosing the right webpack plugins to compile everything exactly like you want and keeping track of every dependency to make sure nothing unwanted makes its way to the final product, caching results to avoid any unnecessary call to the server, then some random team leader randomly forces you to drop in jquery-era plugins just because they look nice and won't listen to a word you're saying.

I KNOW WHAT THE FUCK IS A SWEET ALERT; I DIDN'T USE IT FOR A FUCKING REASON.

So i'm visiting the JavaScript bubble every now and then when i'm writing on the userscript i develop to fix bugs in our ticketing system or fix some clients website they negelected. Every time i'm searching for answers to the weird problems that inevitably turn up i have to filter out all the threads that derail with the classic 'google jQuery basic arithmetic plugin' craziness to find an actual vanilla solution to my problem.

All the time i wonder why on earth people put up with this framework hell. This is part serious question and part rant but seriously, how did we come to this? With all that jQuery, React, Node, whatever stuff i'm kinda losing the overview over what's even todays standard. I always try to keep my code as vanilla as possible without using external libraries. But it seems the entire web development industry is heading the completly other way. I tried to look into a few frameworks but i never really see the appeal. Just now i looked up react native because the last 20 rants talked about it and immediately noped out because they fucking create a DOM in js, why the fuck would you do this?!

Worst thing about this framework shithole is that some frameworks are beeing pulled into the mix for very weird and unnecessary reasons. Best example is a charts library i recently used to visualize a database of temperatures that was completely written in native js but pulled jQuery in for the equivalent of window.addEventListener('load',function(stuff)) and i was furious. I rewrote the code and could throw out the jQuery dependency with no problem. What the fuck is wrong with people?

Alright since you made it here: I'm not trying to throw any of you under the bus for using frameworks. I just fail to understand why you would use these. To each their own and unless your site has the performance of the ticketing system i use at work that takes like 15 seconds to load one fucking page i won't complain at all. But pull in a framework just to do a task you can easily do in native js in remotely the same timeframe you are on my list.

Do you want to know why all the popular open source projects have less-than-optimal, sometimes really dirty code?

It's because their developers ditched all the unnecessary stuff to just get the damn thing done. When I choose an open source dependency, I don't need unfinished stuff. I need a stuff that works and has all the features I need from the very start. If it works, I don't care about code quality in my deps.

This is the reason why dirty, rushed stuff with a great idea behind it gains popularity. PHP, Git, jQuery, the list is quite large.

While you've been busy polishing your files hierarchy, these guys already shipped their product, gained adoption, and their userbase doesn't need your product anymore.

This is applicable only for true open source, not "it's developed by a full-time team of principal developers and the CTO is fucking Kent Beck, it costs $1m per month but yea we have it on github".