[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 160
  • Last Modified:

How to reverse-engineer a form? Warning -- contains moral dilemma!

Let's say hypothetically that there's an online competition on the web.

I would like to enter this hypothetical competition more than once. This seems to be entirely within the rules.

If I have the source code of the form which one fills in to enter the competition, can I in some way automate the process of entering the competition?

For instance, can I automatically write a number of text files and submit them, for instance as email, as if they were generated by the form?

Or can I write a perl script or a local HTML file which mimics the action of the online form and have it churn out entries?

You'll have to trust me on this, but I am interested in the mechanics alone. The (hypothetical) competition prize is actually randomly awarded, but the competition entry consists of a "vote" for a favourite item -- let's say it's a movie of the year.

To enter the competition 100 times would merely increase my statistical /chance/ of winning the prize, but to "vote" 100 times might substantially improve the (hypothetical) movie's rating.

I'm concerned that (hypothetically) unscrupulous companies might already be influencing the results unfairly. Of course they could do this just by employing a minimum-wager to sit in front of Netscape 8 hours a day "voting" -- but is it possible they did something more sophisticated? I'm very suspicious of last year's results...
0
johnny99
Asked:
johnny99
1 Solution
 
icdCommented:
The Bad news.
Yes this is possible.

Any script on the Internet can be 'pointed to' by the action tag of any form. Thus the form which enters the data can be on some other web site. This could be set up with hidden 'fixed' fields with names the same as the original form. It would then be simple to set up a system that submits the form repeatedly.

The Good News.
It is possible for scripts to tell which form 'referred' to, or submitted the data. Any form not on the current web site can be excluded.

The Bad News.
Using a more sophisticated script running on a PC using the 'Socket' interface it is possible to make a request for any URL on the Internet. This includes form processing scripts. It would thus be possible to make a program that repeatedly submitted a form with the same data.

The Good News.
It should be possible to detect identical data sent in a short period of time with simple programming.

The Bad News.
The sending program can be more sophisticated and programatically change the data in some small way.

The Good News.
The Voting software can detect the address of the client program sending in the form. It can use this address to prevent the same person voting more than once (This will also prevent your 'minimum-wager' working 8 hours a day from the same computer).

The Bad News.
The address of the Client can be affected by 'proxy servers' that make it look like many people have the same address. You will thus end up preventing some people from voting because someone else using the same proxy server has already voted.

Finally. The very bad news.
Although there are lots of things that can be done to prevent many people from affecting the results, a determined and knowledgable 'hacker' can bypass them all.

0
 
ozoCommented:
You may be able to make it more difficult for an automated script,
(as opposed to a human sitting in front of Netscape) by requireing responses to randomly presented images.
It could still be possible to write programs to, say, identify scenes from a movie,
but that may take more than 8 hours of above minimum wage work, so you should get
some assurance that any ballot stuffing is likely being done by a human rather than a program.
0
 
johnny99Author Commented:
Thanks for that! My moral dilemma is whether I want to call the "voting" process into disrepute: the company running the competition/voting page is totally innocent/ignorant of these implications but ... do you know how people felt when Marisa Tomei got an Oscar for "My Cousin Vinnie" over Judy Davis in "Husbands and Wives"?

hmmm -- does Experts-exchange have a "moral dilemma" area?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now