All I wanted to do was book a Road Test



  • Long time surfer, 1st time poster.



    So a particular government which will not be named has made the process of booking road tests for licenses relatively difficult, especially after 5:00pm when there are no human operators to book through. The two alternatives that one has after this time is sitting through a 15 minute phone convo with an automated operator (which hangs up if speech recognition cannot interpret your words after 2 tries) or to book through a web 0.5 website that is barely functional.



    My experience on said website is as follows. Type in my license number, postal code, etc... and press continue. Choose a driving test center based on location. Then, and here comes the fun part, attempt to choose a date and time for the driving test by repeatedly pressing a button that says "choose next available date"... and it is important to note that the website drops your session after 3 presses... That's right, unless 1 of the 3 proposed dates are ideal for you (which are almost always 2-3 days from today), you don't get to book a road test.



    But suppose you don't mind booking your road test on such short notice, you will then be taken to a page wherein you will have to submit all pertinent credit card information. Its important to note that there is NO validation for the input field that asks you for the 3 digit security code at the back though... Well okay then, regardless I click continue and I am taken to a page that looks like this.

    clicky



    Despite the page telling me that it could take up to 60 seconds to process the transaction, for all I know it could have taken 1 day because after 20 minutes nothing had changed. So now I'm stuck here staring at this screen wondering if the transaction actually processed and wondering if my credit card information is even safe on this sketchy website. I look near the url and I notice https and think "well... thats a start in terms of security" but then I notice the latter portion of the url and hopefully you guys did as well. Now I know that I'm still in university but you don't need to be a rocket scientist to know that exposing session IDs like that isn't a good way to go about things. As an added bonus, only about 5 characters of that ID change from session to session... -_-...





    Sometimes I wonder if my tax dollars are being put to good use.


  • Trolleybus Mechanic

     You should drive down there and give them a piece of your mind.



  • @Lorne Kates said:

     You should drive down there and give them a piece of your mind.

    And get arrested for driving without a license?



  • @captainpants said:

    but then I notice the latter portion of the url and hopefully you guys did as well.

    The preview is too small and ImageShack wants me to sign up to see it in higher resolution.



  • @captainpants said:

    So a particular government which will not be named
     

    https://www.rtbo.rus.mto.gov.on.ca/scripts/english/index.asp

    There’s really very little point to not just call out the responsible party when it’s a public site.



  • @snover said:

    @captainpants said:

    So a particular government which will not be named
     

    https://www.rtbo.rus.mto.gov.on.ca/scripts/english/index.asp

    There’s really very little point to not just call out the responsible party when it’s a public site.

    That is true. I thought that preserving the anonymity of corps/governments that are contained in posts was the norm. I wonder how you were able to figure out so easily that it was the MTO's website.



  • Google for "road test booking online" with the quotes; its pretty much the first result.


  • Trolleybus Mechanic

     Ah, [url="http://www.opseu.org/campaign/mtorisks.htm"]privatization[/url], what problems can't your solve make expotentionally worse without any oversight?

    When I booked my driver's test with the MTO, the website was perfect. It was fast, let you search or browse calendars, did location-sensitive searches, the whole works. Of course, that was back in two thousand and fucking zero. Good to konw this private company has taken the past twelve years to embrace new and exciting technologies like classic fucking asp.



  • @snover said:

    https://www.rtbo.rus.mto.gov.on.ca/scripts/english/index.asp

    Are they actively contending for the site with the largest number of [sub-…]-subdomains on the internet?



  •  @Gurth said:

    @snover said:
    https://www.rtbo.rus.mto.gov.on.ca/scripts/english/index.asp
    Are they actively contending for the site with the largest number of [sub-…]-subdomains on the internet?

    It sadly looks like it. And I've been around for awhile.



  • What fucking website is down for six hours a day, and ten hours on Sundays?!  WTF was online booking created for?!

    Rarely are things so stupid that they actually make me this angry, but this "web site" is doing a great fucking job of it...



  • @C-Octothorpe said:

    What fucking website is down for six hours a day, and ten hours on Sundays?!

    They're using a revolutionary new back-end database system. It's called "those admin assistants from Accounts."



  • @blakeyrat said:

    @C-Octothorpe said:
    What fucking website is down for six hours a day, and ten hours on Sundays?!
    They're using a revolutionary new back-end database system. It's called "those admin assistants from Accounts."
    I guess the guy with "URL Rewriting" on his resume works here and actually sits at the server manually rewriting urls to the response stream.  Man, what a shitty job...

    Let's just hope they never find out about Excel or Access...



  • @C-Octothorpe said:

    What fucking website is down for six hours a day, and ten hours on Sundays?!  WTF was online booking created for?!

    Rarely are things so stupid that they actually make me this angry, but this "web site" is doing a great fucking job of it...

    Alot of Canadian federal and provincial government websites are like that. Stuff like "not available from midnight to 6:00 am". It's annoying.



  • @Steeldragon said:

     @Gurth said:

    @snover said:
    https://www.rtbo.rus.mto.gov.on.ca/scripts/english/index.asp
    Are they actively contending for the site with the largest number of [sub-…]-subdomains on the internet?

    It sadly looks like it. And I've been around for awhile.

    4, and only because they don't have a .gov domain? Meh, that's not too bad.

  • Discourse touched me in a no-no place

    @Nexzus said:

    @C-Octothorpe said:

    What fucking website is down for six hours a day, and ten hours on Sundays?!  WTF was online booking created for?!

    Rarely are things so stupid that they actually make me this angry, but this "web site" is doing a great fucking job of it...

    Alot of Canadian federal and provincial government websites are like that. Stuff like "not available from midnight to 6:00 am". It's annoying.

    This, sadly, isn't just restricted to Governmental departments: Clerical Medical (UK Pensions/Investments firm, now a tentacle of HBOS: Mon Fri 0700-2330, Sat 0700-0000, Sun 0700-1700)


  • @Nexzus said:

    @C-Octothorpe said:

    What fucking website is down for six hours a day, and ten hours on Sundays?!  WTF was online booking created for?!

    Rarely are things so stupid that they actually make me this angry, but this "web site" is doing a great fucking job of it...

    Alot of Canadian federal and provincial government websites are like that. Stuff like "not available from midnight to 6:00 am". It's annoying.

    I'm sure this is a fail-proof way to avoid work...  Imagine the poor government workers having to do actually do *work* when they stroll in at the crack of noon.



  • @captainpants said:

    I look near the url and I notice https and think "well... thats a start in terms of security" but then I notice the latter portion of the url and hopefully you guys did as well. Now I know that I'm still in university but you don't need to be a rocket scientist to know that exposing session IDs like that isn't a good way to go about things.

    TRWTF is that you entered your CC info before verifying it was HTTPS. As for exposing the session ID, I'm not sure what the big deal is. It's sub-optimal and I would never do it, but it's hardly terrible (or even unusual).



  • @morbiuswilters said:

    @captainpants said:
    I look near the url and I notice https and think "well... thats a start in terms of security" but then I notice the latter portion of the url and hopefully you guys did as well. Now I know that I'm still in university but you don't need to be a rocket scientist to know that exposing session IDs like that isn't a good way to go about things.
    TRWTF is that you entered your CC info before verifying it was HTTPS. As for exposing the session ID, I'm not sure what the big deal is. It's sub-optimal and I would never do it, but it's hardly a big deal.
    Vulnerable to shoulder surfing and maybe brute-force, but from the looks of it I would be more scared of the website itself than any attacker...  I also doubt that there is any functioning RDBMS behind that steaming pile of shit, so I'm sure his CC info disappeared into a dropped request.



  • @C-Octothorpe said:

    Vulnerable to shoulder surfing and maybe brute-force, but from the looks of it I would be more scared of the website itself than any attacker...  I also doubt that there is any functioning RDBMS behind that steaming pile of shit, so I'm sure his CC info disappeared into a dropped request.

    Yeah, because someone is going to shoulder-surf a 20 character string and then run to the nearest computer to use it before the session expires. If I'm going to that much trouble, I'm just going to brain the guy and steal his wallet.

    As for brute force: wha? How does being in the query string make it more susceptible to brute force?

    I would say the two biggest problems with query string IDs are the fact you can't set HTTP-only and secure-only flags like you can with cookies. Of course, most sites don't do that with cookies, either, so throwing that shit in the query string doesn't really make things less secure for those sites.



  • @morbiuswilters said:

    @C-Octothorpe said:
    Vulnerable to shoulder surfing and maybe brute-force, but from the looks of it I would be more scared of the website itself than any attacker...  I also doubt that there is any functioning RDBMS behind that steaming pile of shit, so I'm sure his CC info disappeared into a dropped request.
    Yeah, because someone is going to shoulder-surf a 20 character string and then run to the nearest computer to use it before the session expires. If I'm going to that much trouble, I'm just going to brain the guy and steal his wallet.
    This was actually just a segue to poke more fun at the site, because it really pisses me off... 

    @morbiuswilters said:

    As for brute force: wha? How does being in the query string make it more susceptible to brute force?
    It's not vulnerable just because it's in the url, it's vulnerable because he said only four of the characters actually change when a new session id is created, which is probably a date/time stamp with maybe some auto-increment number. This is trivial to brute force.

    Another problem with session ids in the url is that the url could be cached in the browser, but as you said, this is so low risk because of the time sensitivity and that the attacker needs physical access to the machine, it's barely worth even mentioning.



  • @C-Octothorpe said:

    It's not vulnerable just because it's in the url, it's vulnerable because he said only four of the characters actually change when a new session id is created, which is probably a date/time stamp with maybe some auto-increment number. This is trivial to brute force.

    Agreed, the session-generation is awful. It also seems to mostly use digits, which makes the entropy quite low, even if the generation itself was cryptographically-sound. However, I was only commenting on the session ID being in the URL.



  • duh, didn't you know? you're supposed to view source on that last page.

    you'll see there's either a meta or js refresh that doesn't end up firing. just copy the destination url out of there and navigate to it. it'll be a "success/thank you page"



    works like a charm, done it twice in the past.

    i'm surprised that issue is still there since i last used it, weak sauce.



  • @captainpants said:

    I wonder how you were able to figure out so easily that it was the MTO's website.
    I did because I have your IP address.

    creeeeeeeeeeeeeeeeeeeepy.


  • Trolleybus Mechanic

    @belgariontheking said:

    I did because I have your IP address.
     

    You can't. I'm using an encrypted IP address.


  • ♿ (Parody)

    @Lorne Kates said:

    @belgariontheking said:
    I did because I have your IP address.

    You can't. I'm using an encrypted IP address.

    It's 140.13.13.14, isn't it?



  • @boomzilla said:

    @Lorne Kates said:
    @belgariontheking said:
    I did because I have your IP address.
    You can't. I'm using an encrypted IP address.

    It's 140.13.13.14, isn't it?

     

    That's not it.   ~winkuu~



  • @dhromed said:

    @boomzilla said:

    @Lorne Kates said:
    @belgariontheking said:
    I did because I have your IP address.

    You can't. I'm using an encrypted IP address.

    It's 140.13.13.14, isn't it?

     

    That's not it.   ~winkuu~

    Is it 140.13.13.15?



  • Maybe it's 1.3.3.7?

    Nope, looks like that belongs to some Chinese ISP or something...



  • @blakeyrat said:

    Is it 140.13.13.15?
     

    Since Lorne is Canadian, you're definitely going the wrong way.



  • Please tell me you people did actually get the joke in boomzilla's post.

    My sarcasm detector is currently broken due to lack of sleep, so I'm not trying to cast aspersions on anyone here. Just looking for some reassurance.



  • @Scarlet Manuka said:

    Please tell me you people did actually get the joke in boomzilla's post.

    My sarcasm detector is currently broken due to lack of sleep, so I'm not trying to cast aspersions on anyone here. Just looking for some reassurance.

    Pretend that we didn't and explain it to us..



  • @Scarlet Manuka said:

    Please tell me you people did actually get the joke in boomzilla's post.
    140.13.13.14 appears to be located in Columbus, Ohio.  Is that the joke?



  • @El_Heffe said:

    140.13.13.14 appears to be located in Columbus, Ohio.  Is that the joke?

    I know I said my sarcasm detector was currently broken, but it's not [i]completely[/i] dead.


  • ♿ (Parody)

    @morbiuswilters said:

    @Scarlet Manuka said:
    Please tell me you people did actually get the joke in boomzilla's post.

    My sarcasm detector is currently broken due to lack of sleep, so I'm not trying to cast aspersions on anyone here. Just looking for some reassurance.

    Pretend that we didn't and explain it to us..

    Eh... localhost + ROT13.



  • @C-Octothorpe said:

    Another problem with session ids in the url is that the url could be cached in the browser, but as you said, this is so low risk because of the time sensitivity and that the attacker needs physical access to the machine, it's barely worth even mentioning.

    Your assumption that the sessions will just sensibly 'expire' in some way amuses me.



  • @boomzilla said:

    Eh... localhost + ROT13.

    Oh... right... yeah... I got that.  Totally.  I'm pretty sure everyone did.


  • @boomzilla said:

    @morbiuswilters said:
    @Scarlet Manuka said:
    Please tell me you people did actually get the joke in boomzilla's post.

    My sarcasm detector is currently broken due to lack of sleep, so I'm not trying to cast aspersions on anyone here. Just looking for some reassurance.

    Pretend that we didn't and explain it to us..

    Eh... localhost + ROT13.

    Not a bad joke but the setup didn't make the punchline clear enough.



  • @morbiuswilters said:

    @boomzilla said:
    @morbiuswilters said:
    @Scarlet Manuka said:
    Please tell me you people did actually get the joke in boomzilla's post.

    My sarcasm detector is currently broken due to lack of sleep, so I'm not trying to cast aspersions on anyone here. Just looking for some reassurance.

    Pretend that we didn't and explain it to us..

    Eh... localhost + ROT13.

    Not a bad joke but the setup didn't make the punchline clear enough.

    Yes it is a bad joke. You're supposed to use ROT5 for numbers.


Log in to reply