Sites that don't validate content
I received a tweet invite to play a speed typing game today.
The game is hosted at a site called Fast140. After a few attempts, the best I could do was about 105 words per minute, which is pretty amazing, since the text is simply repeating other individuals tweets. Some people have really poor spelling, and your first action is to correct their faults. My average was around 85-90 wpm.
The site even protected against cheating, I could not just cut and paste the text (without modifying the code).
Then I saw it...
All of my network traffic is captured for later analysis (malware research). A quick review of the packet data shows that the site simply updates the typing speed based on user input -- so by "replaying" one POST packet, with a slight modification; I was able to elevate myself to the fastest typist.
Then I went overboard and exceeded 222 WPM, so I now rank "0".
I did not modify any other data, other than to change the POST variable from 105 to 122, 222, 215 then to 9999. Not really a hack - more of a cheat, but have you ever wondered what else you can do by modifying data sent to a website?
Does your site protect against this? It should!
PS: I know I wasn't the first to figure this out -- and judging by some of the other top 10 typists, its probably not even a secret. Its nothing more than an example.
The game is hosted at a site called Fast140. After a few attempts, the best I could do was about 105 words per minute, which is pretty amazing, since the text is simply repeating other individuals tweets. Some people have really poor spelling, and your first action is to correct their faults. My average was around 85-90 wpm.
The site even protected against cheating, I could not just cut and paste the text (without modifying the code).
Then I saw it...
All of my network traffic is captured for later analysis (malware research). A quick review of the packet data shows that the site simply updates the typing speed based on user input -- so by "replaying" one POST packet, with a slight modification; I was able to elevate myself to the fastest typist.
POST http://fast140.com:80/play/check_high_score.cfm?wpm=222.3 HTTP/1.1
Then I went overboard and exceeded 222 WPM, so I now rank "0".
I did not modify any other data, other than to change the POST variable from 105 to 122, 222, 215 then to 9999. Not really a hack - more of a cheat, but have you ever wondered what else you can do by modifying data sent to a website?Does your site protect against this? It should!
PS: I know I wasn't the first to figure this out -- and judging by some of the other top 10 typists, its probably not even a secret. Its nothing more than an example.
posted by Nicholas at
02:55
0 Comments
