Hacking Online voting system for fun and profit.

Source : Google

Greetings Everyone! (Especially to daddy’s little princess, CEO & Founder of Facebook and last but not least, to those literates who don’t go to school coz they got Google! :P)

So this was a test case which we’ve gone through a week back. The context of this writeup would be about how we voted for one of my friend in an inorganic way by looping a HTTP Request.

Also, this time I’d be starting from the basics so that it could be helpful for the beginners as well. So, bear up with me on this post alone! the agenda of this walkthrough would be covering the following,

1.Basics of HTTP (Ports, Protocols)
2.How does this voting application works.
3.Difference Between POST request vs GET Request
4.Intercepting HTTP Requests.
5.Iterating it with postman
6.Test cases
  1. HTTP (Hyper Text Transfer Protocol)

HTTP provides a standard for Web browsers and servers to communicate. HTTP is an application layer network protocol built on top of TCP which allows us to share files virtually between a browser and the web server and it communicates via HTTP message types such as GET, POST, and HEAD.

HTTP utilizes TCP port 80 by default, though other ports such as 8080 can alternatively be used.

Demystifying it.

http://www.example.com:80/index.php

Here,

HTTP — Protocol

www.example.com — Domain Name

80-Port

index.php-would be the file that we’d be calling via $_GET request.

2. Sample voting application.

We made a simple web application to choose the best team member by voting for them, so what it does basically is that it fetches data via AJAX and sends a POST request to a file called vote.php and then it fetches back and shows it in our UI.

If you look into this JS, you could find it how it works easily.

3. Differentiate between $_GET request vs $_POST request.

Schematic diagram. Source : Google.

4. Intercepting HTTP request.

We need to understand what kind of information that we’re sending to the web server from our browser to do that, we need to intercept the HTTP request for this we’d be using a tool called Burp Suite which you can download by clicking this and burp suite acts as a proxy.

also, you can use a Firefox extension called Tamper data

Our voting application request and response.

As you can see that its using POST request and it sends the data via ajax to its BODY, which is uid=6, the application works this way if you send “uid=6” to vote.php file via post request it will put vote to that person so what are we going to do exactly is that, we’re going to send this request again and again thus, it increases the vote inorganically. To create a loop, we could simply use a tool called postman which you can download from, https://www.getpostman.com/apps

5. Iterating with POSTMAN

Postman

from the burp request, you could see that its a post request and the payload goes over the body. Simply open postman, Mention method as POST, put POST URL link, set the payload in the body, click send. It’s that simple. also, with postman you can export this as a code in your favourite language such as python, perl also bash etc.. and that’s the beautiful thing about this postman or else you could simply write a bash script with cURL and iterate it easily too.

Click the runner button on the top left side and set the iterations for 15 times.

Runner tab

That’s all, it will do the iteration now automatically thus the vote got increased and our guy won the poll :P

6. Test cases

This was possible because there was no authorisation nor any security implementations were done in that web application. we’ve gone through a similar application a month back in which we were able to retrieve amount from an account without their interaction.

Video Demo!


I’m pretty sure I’d have done a lot of mistakes in this tutorial forgive me for that. *I made this whole tutorial with my phone*

keep this as an excuse! (^_^)

Do let me know what do you think about such security practices also if you’ve any request/feedbacks, do let me know in the comment section down below.

Thanks to Sagar Gulati for making the test application & Hruday Charan, Parshuram Reddy for helping me out initially! ❤️

Made in ❤️ with PrimeFort! 🙂