How I helped my brother win a trip; my first real world vulnerability

in #life7 years ago

I always practiced hacking and programming, but it was either a 100% vulnerable application somewhere, or it was Whitebox pentesting. So let me tell you my little story.

The situation

Yesterday my mother came home and asked me if I could vote for my brother's class on a website to help them win a free trip. I was like of course, I help my brother a lot to study, etc...
So when I opened the site my brother's class had a pretty good 5200 number of votes. My thought was that my vote doesn't even matter at this point, because the other classes had like 2000 votes. But as I scrolled down I saw a class with 9000 points. I instantly thought they cheated, so I had to confirm if it was the case. Turned out I was right! They were generating 15-20 votes a minute periodically. So at this point I was pretty sure they're cheating somehow.

How did they cheat?

My mother also said that they seem to control the number of votes per IP address. So that would mean 1 vote for an IP.
She even said that he voted at her workplace and at home too. I said it's ok because we have a dynamic IP at home, so we could vote once a day! But as it turned out the voting was time limited and it was about to expire midnight.
So back to the cheating: when I checked the site later some classes had 18000 votes. So it was clear that we couldn't win without cheating too! I was doing homework, when my mother said, that dad voted with 3 different browsers. I instantly thought: they're not blocking by IP address, they must have cookies, because browsers don't cross access cookies. So I advised to try voting in Incogntio Mode, because when closed it deletes cookies stored during the browsing session. After 5 minutes my dad confirmed that Incognito Mode does bypass the voting restriction.
So I quickly finished the homework, started my PC, opened chrome and went to the site.
Even from the homepage I could smell shitty developers, the site's homepage took over 10 seconds to load. Studies are saying users are leaving a site after waiting 3 seconds for it to load. Anyways, I'm getting off the topic...
I opened the Dev-Tools (CTRL + SHIFT + I), and scrolled to my brother's class, and took a look at the vote button.
It didn't have a direct onclick attribute, so I tried to find an event handler, but I found onhover, active and such.
So I went to the network tab on Dev-Tools and clicked XHR, then I voted for my brother's class. I found what I was looking for, an XHR request to a file named vote.php interesting huh? So I took a look at it and found out that vote restrictions only apply on the client side and not the server side. This means that the server can't validate a vote, it just increments the vote count of a database record at the specific ID.

Things to watch out for, the exploit

So at this point I had an unconfirmed vulnerability, so I had to confirm it. I quickly wrote some C# code to send a POST request to vote.php. I made sure it's looking like a legit request, this includes:

  • Setting the X-Requested-With header to XMLHttpRequest
  • Setting the User-Agent header to what chrome uses

Because it's a POST request I had to set the Content-Type header to application/x-www-form-urlencoded and I had to set the Content-Length header to the size of the request body.
The data was consisting of the following:

  • An ID field (the ID of the class to vote for) ex. id=2000
  • A Vote field (determines if upvote or downvote) ex. vote=yes is an upvote

So the request body looks like: id=2000&vote=yes. The app was ready, so I sent the first request, and guess what?
The vote count of my brother's class increased by 1. So all I had to do is to run it several times.
My frequency was 1 request per second to don't stress the server too much. Even this way 1-2 of my requests dropped in a minute.
So for a test run I voted 1000 times during 16-17 minutes. And it worked, so it was time to take the lead.
I calculated with my dad, that we send more requests than the class with 9000 votes by 40. But what about the the 2 classes with 18000 votes?

Beign smarter than the other cheaters

So if you remember the request looks like id=2000&vote=yes. But on this site you can also cancel your vote, guess what? It's the same request, just vote=no, this is guarded by the same authentication, the cookie one, so the bypass was already complete, I just needed to change the vote parameter to no and the ID parameter to the ID of the 2 enemy classes. Sure enough it worked, but their vote counts were climbing down at a small rate because they were voting for their classes too!

Sleep time? huh?

So I had to sleep but according to the calculations all progress could've been lost, if it wasn't running the entire night. But I didn't want to keep my computer on for the night, so I needed another option. I quickly re-wrote the bots in Python, and I deployed them on my VPS. I used nohup to keep them running after closing the SSH session, then I called it a day, and I went to sleep.

Final results

I woke up and checked the vote counts. Drum rolls. My brother's class went from 5000 to 52000 over the night.
Also the classes I downvote botted went from 18000 down to 12000, keep in mind they were also upvote botting, so that's why the small amount of decrease.

Summary, Take away, Final thoughts

First I'm happy I can share a moment of my life, and I'm happy that I finally used my skills, which everybody ignores :((( to help my brother's class. I was worried that when I wake up I will feel bad for cheating or it's not right to cheat.
But this is why I chose to cheat: my brother's class easily had more votes than any other classes, but they cheated too!
And instead of feeling bad I feel good, because I punished the cheaters and I helped my brother too! My brother doesn't know that I did this, he's just happy that his class has a free trip now. I wanted to stay incognito, like the top hackers do, but I had to write this. Idk why? Maybe lack of appreciation of my skills?
Anyways, thank you for reading this long, maybe a bit boring post full of subjectiv stuff, not the usual objective, description of how things work. Please let me know if you like this kind of personal stories or should I just stick to objective stuff?
Have a nice day!

Sort:  

Wow amazing offer . i come baby

c# and python both seem like overkill for this, a loop in a shell script and curl are all you need. Nevertheless, great story!

Hi!
Thank you for the positive response, it helps me a lot!
Yes c# is an overkill, but that's the language I'm the most familiar with, and I needed to get the job done quickly. As for python, I'm just starting to learn a few programming languages which can be used for linux too! And I have the most experience with python, from that area.
I don't really know curl, I know it's a networking tool, but that's all I know about it. So I need to look up curl later.

Both chrome and firefox have a "Copy as curl" option for events in the network viewer, that you can use to re-run the request with curl from a cli. A complex post can be intimidating, but a complete working command is a good way to learn how it works.