How I helped my brother win a trip; my first real world vulnerability
I always practiced hacking and programming, but it was either a 100% vulnerable application somewhere, or it was Whitebox pentesting. So let me tell you my little story.
The situation
Yesterday my mother came home and asked me if I could vote for my brother's class on a website to help them win a free trip. I was like of course, I help my brother a lot to study, etc...
So when I opened the site my brother's class had a pretty good 5200
number of votes. My thought was that my vote doesn't even matter at this point, because the other classes had like 2000
votes. But as I scrolled down I saw a class with 9000
points. I instantly thought they cheated, so I had to confirm if it was the case. Turned out I was right! They were generating 15-20
votes a minute periodically. So at this point I was pretty sure they're cheating somehow.
How did they cheat?
My mother also said that they seem to control the number of votes per IP address. So that would mean 1 vote for an IP.
She even said that he voted at her workplace and at home too. I said it's ok because we have a dynamic IP at home, so we could vote once a day! But as it turned out the voting was time limited and it was about to expire midnight.
So back to the cheating: when I checked the site later some classes had 18000
votes. So it was clear that we couldn't win without cheating too! I was doing homework, when my mother said, that dad voted with 3 different browsers. I instantly thought: they're not blocking by IP address, they must have cookies, because browsers don't cross access cookies. So I advised to try voting in Incogntio Mode
, because when closed it deletes cookies stored during the browsing session. After 5 minutes my dad confirmed that Incognito Mode does bypass the voting restriction.
So I quickly finished the homework, started my PC, opened chrome and went to the site.
Even from the homepage I could smell shitty
developers, the site's homepage took over 10 seconds to load. Studies are saying users are leaving a site after waiting 3 seconds for it to load. Anyways, I'm getting off the topic...
I opened the Dev-Tools (CTRL + SHIFT + I
), and scrolled to my brother's class, and took a look at the vote button.
It didn't have a direct onclick
attribute, so I tried to find an event handler, but I found onhover, active and such.
So I went to the network tab on Dev-Tools and clicked XHR, then I voted for my brother's class. I found what I was looking for, an XHR request to a file named vote.php
interesting huh? So I took a look at it and found out that vote restrictions only apply on the client side and not the server side. This means that the server can't validate a vote, it just increments the vote count of a database record at the specific ID.
Things to watch out for, the exploit
So at this point I had an unconfirmed vulnerability, so I had to confirm it. I quickly wrote some C#
code to send a POST request to vote.php. I made sure it's looking like a legit request, this includes:
- Setting the
X-Requested-With
header toXMLHttpRequest
- Setting the
User-Agent
header to what chrome uses
Because it's a POST request I had to set the Content-Type
header to application/x-www-form-urlencoded
and I had to set the Content-Length
header to the size of the request body.
The data was consisting of the following:
- An ID field (the ID of the class to vote for) ex.
id=2000
- A Vote field (determines if upvote or downvote) ex.
vote=yes
is an upvote
So the request body looks like: id=2000&vote=yes
. The app was ready, so I sent the first request, and guess what?
The vote count of my brother's class increased by 1
. So all I had to do is to run it several times.
My frequency was 1 request per second to don't stress the server too much. Even this way 1-2 of my requests dropped in a minute.
So for a test run I voted 1000 times during 16-17 minutes. And it worked, so it was time to take the lead.
I calculated with my dad, that we send more requests than the class with 9000 votes by 40. But what about the the 2 classes with 18000 votes?
Beign smarter than the other cheaters
So if you remember the request looks like id=2000&vote=yes
. But on this site you can also cancel your vote, guess what? It's the same request, just vote=no
, this is guarded by the same authentication, the cookie one, so the bypass was already complete, I just needed to change the vote parameter to no
and the ID parameter to the ID of the 2 enemy classes. Sure enough it worked, but their vote counts were climbing down at a small rate because they were voting for their classes too!
Sleep time? huh?
So I had to sleep but according to the calculations all progress could've been lost, if it wasn't running the entire night. But I didn't want to keep my computer on for the night, so I needed another option. I quickly re-wrote the bots in Python, and I deployed them on my VPS. I used nohup
to keep them running after closing the SSH session, then I called it a day, and I went to sleep.
Final results
I woke up and checked the vote counts. Drum rolls. My brother's class went from 5000
to 52000
over the night.
Also the classes I downvote botted went from 18000
down to 12000
, keep in mind they were also upvote botting, so that's why the small amount of decrease.
Summary, Take away, Final thoughts
First I'm happy I can share a moment of my life, and I'm happy that I finally used my skills, which everybody ignores :((( to help my brother's class. I was worried that when I wake up I will feel bad for cheating or it's not right to cheat.
But this is why I chose to cheat: my brother's class easily had more votes than any other classes, but they cheated too!
And instead of feeling bad I feel good, because I punished the cheaters and I helped my brother too! My brother doesn't know that I did this, he's just happy that his class has a free trip now. I wanted to stay incognito, like the top hackers do, but I had to write this. Idk why? Maybe lack of appreciation of my skills?
Anyways, thank you for reading this long, maybe a bit boring post full of subjectiv stuff, not the usual objective, description of how things work. Please let me know if you like this kind of personal stories or should I just stick to objective stuff?
Have a nice day!
Wow amazing offer . i come baby
c# and python both seem like overkill for this, a loop in a shell script and curl are all you need. Nevertheless, great story!
Hi!
Thank you for the positive response, it helps me a lot!
Yes
c#
is an overkill, but that's the language I'm the most familiar with, and I needed to get the job done quickly. As for python, I'm just starting to learn a few programming languages which can be used for linux too! And I have the most experience with python, from that area.I don't really know curl, I know it's a networking tool, but that's all I know about it. So I need to look up
curl
later.Both chrome and firefox have a "Copy as curl" option for events in the network viewer, that you can use to re-run the request with curl from a cli. A complex post can be intimidating, but a complete working command is a good way to learn how it works.