Solved

How to reverse-engineer a form? Warning -- contains moral dilemma!

Posted on 1997-12-27
3
149 Views
Last Modified: 2013-12-25
Let's say hypothetically that there's an online competition on the web.

I would like to enter this hypothetical competition more than once. This seems to be entirely within the rules.

If I have the source code of the form which one fills in to enter the competition, can I in some way automate the process of entering the competition?

For instance, can I automatically write a number of text files and submit them, for instance as email, as if they were generated by the form?

Or can I write a perl script or a local HTML file which mimics the action of the online form and have it churn out entries?

You'll have to trust me on this, but I am interested in the mechanics alone. The (hypothetical) competition prize is actually randomly awarded, but the competition entry consists of a "vote" for a favourite item -- let's say it's a movie of the year.

To enter the competition 100 times would merely increase my statistical /chance/ of winning the prize, but to "vote" 100 times might substantially improve the (hypothetical) movie's rating.

I'm concerned that (hypothetically) unscrupulous companies might already be influencing the results unfairly. Of course they could do this just by employing a minimum-wager to sit in front of Netscape 8 hours a day "voting" -- but is it possible they did something more sophisticated? I'm very suspicious of last year's results...
0
Comment
Question by:johnny99
3 Comments
 
LVL 5

Accepted Solution

by:
icd earned 100 total points
ID: 1831745
The Bad news.
Yes this is possible.

Any script on the Internet can be 'pointed to' by the action tag of any form. Thus the form which enters the data can be on some other web site. This could be set up with hidden 'fixed' fields with names the same as the original form. It would then be simple to set up a system that submits the form repeatedly.

The Good News.
It is possible for scripts to tell which form 'referred' to, or submitted the data. Any form not on the current web site can be excluded.

The Bad News.
Using a more sophisticated script running on a PC using the 'Socket' interface it is possible to make a request for any URL on the Internet. This includes form processing scripts. It would thus be possible to make a program that repeatedly submitted a form with the same data.

The Good News.
It should be possible to detect identical data sent in a short period of time with simple programming.

The Bad News.
The sending program can be more sophisticated and programatically change the data in some small way.

The Good News.
The Voting software can detect the address of the client program sending in the form. It can use this address to prevent the same person voting more than once (This will also prevent your 'minimum-wager' working 8 hours a day from the same computer).

The Bad News.
The address of the Client can be affected by 'proxy servers' that make it look like many people have the same address. You will thus end up preventing some people from voting because someone else using the same proxy server has already voted.

Finally. The very bad news.
Although there are lots of things that can be done to prevent many people from affecting the results, a determined and knowledgable 'hacker' can bypass them all.

0
 
LVL 84

Expert Comment

by:ozo
ID: 1831746
You may be able to make it more difficult for an automated script,
(as opposed to a human sitting in front of Netscape) by requireing responses to randomly presented images.
It could still be possible to write programs to, say, identify scenes from a movie,
but that may take more than 8 hours of above minimum wage work, so you should get
some assurance that any ballot stuffing is likely being done by a human rather than a program.
0
 
LVL 2

Author Comment

by:johnny99
ID: 1831747
Thanks for that! My moral dilemma is whether I want to call the "voting" process into disrepute: the company running the competition/voting page is totally innocent/ignorant of these implications but ... do you know how people felt when Marisa Tomei got an Oscar for "My Cousin Vinnie" over Judy Davis in "Husbands and Wives"?

hmmm -- does Experts-exchange have a "moral dilemma" area?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This tutorial will give you a fast look what you can do with WhizBase. I expect you already know how to work with HTML at least, and that you understand the basics of the internet and how the internet works. WhizBase is a server-s…
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now