Solved

How to reverse-engineer a form? Warning -- contains moral dilemma!

Posted on 1997-12-27
3
146 Views
Last Modified: 2013-12-25
Let's say hypothetically that there's an online competition on the web.

I would like to enter this hypothetical competition more than once. This seems to be entirely within the rules.

If I have the source code of the form which one fills in to enter the competition, can I in some way automate the process of entering the competition?

For instance, can I automatically write a number of text files and submit them, for instance as email, as if they were generated by the form?

Or can I write a perl script or a local HTML file which mimics the action of the online form and have it churn out entries?

You'll have to trust me on this, but I am interested in the mechanics alone. The (hypothetical) competition prize is actually randomly awarded, but the competition entry consists of a "vote" for a favourite item -- let's say it's a movie of the year.

To enter the competition 100 times would merely increase my statistical /chance/ of winning the prize, but to "vote" 100 times might substantially improve the (hypothetical) movie's rating.

I'm concerned that (hypothetically) unscrupulous companies might already be influencing the results unfairly. Of course they could do this just by employing a minimum-wager to sit in front of Netscape 8 hours a day "voting" -- but is it possible they did something more sophisticated? I'm very suspicious of last year's results...
0
Comment
Question by:johnny99
3 Comments
 
LVL 5

Accepted Solution

by:
icd earned 100 total points
ID: 1831745
The Bad news.
Yes this is possible.

Any script on the Internet can be 'pointed to' by the action tag of any form. Thus the form which enters the data can be on some other web site. This could be set up with hidden 'fixed' fields with names the same as the original form. It would then be simple to set up a system that submits the form repeatedly.

The Good News.
It is possible for scripts to tell which form 'referred' to, or submitted the data. Any form not on the current web site can be excluded.

The Bad News.
Using a more sophisticated script running on a PC using the 'Socket' interface it is possible to make a request for any URL on the Internet. This includes form processing scripts. It would thus be possible to make a program that repeatedly submitted a form with the same data.

The Good News.
It should be possible to detect identical data sent in a short period of time with simple programming.

The Bad News.
The sending program can be more sophisticated and programatically change the data in some small way.

The Good News.
The Voting software can detect the address of the client program sending in the form. It can use this address to prevent the same person voting more than once (This will also prevent your 'minimum-wager' working 8 hours a day from the same computer).

The Bad News.
The address of the Client can be affected by 'proxy servers' that make it look like many people have the same address. You will thus end up preventing some people from voting because someone else using the same proxy server has already voted.

Finally. The very bad news.
Although there are lots of things that can be done to prevent many people from affecting the results, a determined and knowledgable 'hacker' can bypass them all.

0
 
LVL 84

Expert Comment

by:ozo
ID: 1831746
You may be able to make it more difficult for an automated script,
(as opposed to a human sitting in front of Netscape) by requireing responses to randomly presented images.
It could still be possible to write programs to, say, identify scenes from a movie,
but that may take more than 8 hours of above minimum wage work, so you should get
some assurance that any ballot stuffing is likely being done by a human rather than a program.
0
 
LVL 2

Author Comment

by:johnny99
ID: 1831747
Thanks for that! My moral dilemma is whether I want to call the "voting" process into disrepute: the company running the competition/voting page is totally innocent/ignorant of these implications but ... do you know how people felt when Marisa Tomei got an Oscar for "My Cousin Vinnie" over Judy Davis in "Husbands and Wives"?

hmmm -- does Experts-exchange have a "moral dilemma" area?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now