[RESOLVED] Is it possible to use a direct link to vote for an online poll?

[carloboy]

Hi guys,

I have a online poll that uses radio buttons which submits to an array after clicking Vote

However, i noticed that sometimes i get an overwhelming response...like a single entry has 97% of the votes with a large number like 15,000. But i only have about 100 users.

Is there a way people use to circumvent the regular radio button/submit? using a direct link instead?

This is the part to my voting code

<div class="form">
<form method="post" action="poll.php?id=1">
<div style="margin: 7px 0pt;">

<input name="poll" value="1" type="radio">
</div>
<div style="margin: 7px 0pt;">
<input name="poll" value="2" type="radio">

</div>
<div style="margin: 7px 0pt;">
<input name="poll value="3" type="radio">

</div>
<div style="margin: 7px 0pt;">
<input name="poll" value="4" type="radio">

</div>
<div style="margin: 7px 0pt;">
<input value="Vote" name="poll_vote" type="submit">
</div>
</form>
</div>

i appreciate any help

[MarkT]

what happens if you try using

poll.php?id=1&poll=2

of course you would need the full address

[SambaNeko]

If you're checking your input with $_POST["poll"], then no, using a direct link won't work because the data would be in $_GET.

I've used a local form to spoof data to an online receiving script (for benign testing purposes) once though. It's as simple as making an HTML file with <form action="http://example.com/poll.php" method="post"> You could prevent this by checking that the submission is coming from your own domain. I think that would go something like this:

Code:

$fromDomain = parse_url($_SERVER['HTTP_REFERER']);

if($fromDomain['host'] != "mydomain.com"){
  //didn't come from my domain, don't process
}

Or... you could just be having a problem with SPAM BOTS...

[carloboy]

what happens if you try using

poll.php?id=1&poll=2

of course you would need the full address

tested it out on a new poll, similar code, makes sense but dang didn't work.

[carloboy]

If you're checking your input with $_POST["poll"], then no, using a direct link won't work because the data would be in $_GET.

I've used a local form to spoof data to an online receiving script (for benign testing purposes) once though. It's as simple as making an HTML file with <form action="http://example.com/poll.php" method="post"> You could prevent this by checking that the submission is coming from your own domain. I think that would go something like this:

Code:

$fromDomain = parse_url($_SERVER['HTTP_REFERER']);

if($fromDomain['host'] != "mydomain.com"){
  //didn't come from my domain, don't process
}

Or... you could just be having a problem with SPAM BOTS...

yeah i was thinking i was getting spammed, it's wierd that it choses 1 specific answer.

alright i'll go ahead and try for a domain check on the script



if you find anything that circumvents the regular post please let me know!

I appreciate the help ^^

[SambaNeko]

yeah i was thinking i was getting spammed, it's wierd that it choses 1 specific answer.

Not really... I imagine it's simply always picking the first option - your average spam bot is simplistic: if given options like radio or select elements, it picks the first one and moves on.

If it is a bot though, checking the domain referrer may not be useful (since it'll probably turn out valid). The best results I've achieved for keeping bots off my forms is to have a content filter, but that's on forms with text field input... Not sure what a good approach would be for a form like yours...

[Nightwalker83]

@ carloboy

Have you double checked your php script to make sure that it's not responsible for the discrepancy with the results? If so then why not make it that users have to log-in to vote? I noticed you website aleady have the capcha verification to verify user posts from spam posts.

[carloboy]

Not really... I imagine it's simply always picking the first option - your average spam bot is simplistic: if given options like radio or select elements, it picks the first one and moves on.

If it is a bot though, checking the domain referrer may not be useful (since it'll probably turn out valid). The best results I've achieved for keeping bots off my forms is to have a content filter, but that's on forms with text field input... Not sure what a good approach would be for a form like yours...

you're right about the first option, i kept on thinking the 15K votes were on the 2nd. yup if they were spam bots, it would look legit against the domain check.

i may change it where it requires a login and 1 vote per acct

Thanks for the suggestion Nightwalker83

[MarkT]

Can't you just track IP and only allow 1 vote/IP and ditch the login? Personally, I wouldn't login just to do a survey.

[kfcSmitty]

It is also fairly simple to write a program to vote for you, bypassing the actual vote screen altogether...Depending on the security added, of course.

[carloboy]

It is also fairly simple to write a program to vote for you, bypassing the actual vote screen altogether...Depending on the security added, of course.

I've been racking my brain on how they are bypassing the vote screen. Now i'm just asking out of curiosity.

I was initially thinking a direct URL (with a URL refresher tool) but it wasn't doing anything.

I found that if i clicked the vote button fast and repeatedly, it would translate into multiple votes but i doubt they would do that 15K times.

[kfcSmitty]

I've been racking my brain on how they are bypassing the vote screen. Now i'm just asking out of curiosity.

I was initially thinking a direct URL (with a URL refresher tool) but it wasn't doing anything.

I found that if i clicked the vote button fast and repeatedly, it would translate into multiple votes but i doubt they would do that 15K times.

I just voted for the bottom choice 300 times in about 15 seconds using a program it took 30 seconds to write in C#.

You can also do the same thing using a macro for Firefox. It will vote, clear your cookies, and vote again.

[carloboy]

I just voted for the bottom choice 300 times in about 15 seconds using a program it took 30 seconds to write in C#.

You can also do the same thing using a macro for Firefox. It will vote, clear your cookies, and vote again.

Haha lol.

Alright, i don't know how to make a macro on FF but if it's C then i'll give it a try.

Peace and Love!

[carloboy]

I just voted for the bottom choice 300 times in about 15 seconds using a program it took 30 seconds to write in C#.

You can also do the same thing using a macro for Firefox. It will vote, clear your cookies, and vote again.

I guess this may be close to what you did? But i'm stuck at choosing/voting on a webpage
I'm hyped up at creating this but my C# knowledge is limited.

Code:

#include <stdio.h>
#include <windows.h>

main()
{
int count = 0;

	printf("App starting...")
	for (count = 0; count <=1000; count++)
		{
			select radio
			vote
			clear cookies //might not be needed since at the moment it allows unlimited voting
			printf("You have voted %d times", &count)
			sleep(1000); //windows only
		}
}

[MarkT]

Once agian if you capture the ip address you can check if a vote has already came from the ip address before adding the vote to the database.

[SambaNeko]

I just voted for the bottom choice 300 times in about 15 seconds using a program it took 30 seconds to write in C#.

Hmm, why isn't my VBScript program to spam carloboy's poll 300 times working? Maybe I'll go post in the relevant section...

Ah - neglected to send the submit button value. :3

[carloboy]

Once agian if you capture the ip address you can check if a vote has already came from the ip address before adding the vote to the database.

Sorry i haven't quoted you, but yes you are correct, other then the dynamic and proxy ips it'll prevent the majority of the spammers from doing multiple votes.

as to my original question, i guess i was wrong, i tried multiple times to cast a vote using a direct URL. now i find out it's possible to cast a vote using a short C program.

I just want to learn it now out of curiosity, but i'll prevent these types of voting on my next poll.

[carloboy]

Hmm, why isn't my VBScript program to spam carloboy's poll 300 times working? Maybe I'll go post in the relevant section...

Ah - neglected to send the submit button value. :3

Working now? Which one did you vote for?

[SambaNeko]

Working now? Which one did you vote for?

The third one; Bea Soriano.

[carloboy]

Cool i see it.

Ok i saw the buttonclick func for C# and added it to the newbie script i made inside the loop,and im sure there is one for vb, but how do you guys make it work for the specific webpage?

just open up the browser to that URL then run the script?


what's the secret? ^^,

[SambaNeko]

I can't help you with C#, but my VBS is just this:

Code:

dim objHTTP
Set objHTTP = Createobject("MSXML2.ServerXMLHTTP")
objHTTP.open "POST", "http://www.stylebible.ph/poll.php?id=7", False
objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"

for i=0 to 300
  objHTTP.send "pollchoices=18&poll_vote=Vote"
next

Set objHTTP = Nothing
 
MsgBox "Done."

[carloboy]

I'm new-ish to vb, i only went as far as creating vbscripts that edit the registry, nothing online but i understand it. nice.

i tested it by pasting the code to a blank vbs file and executing but i got an error that say server address could not be resolved.

i'll play with it and see whats going on.

Thanks for your sample code, i'm learning more and more

[SambaNeko]

Actually, I tried to tidy up that code before posting it and moved some lines where they shouldn't be. The actual, working script should be:

Code:

dim objHTTP
Set objHTTP = Createobject("MSXML2.ServerXMLHTTP")

for i=0 to 300
  objHTTP.open "POST", "http://www.stylebible.ph/poll.php?id=7", False
  objHTTP.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
  objHTTP.send "pollchoices=18&poll_vote=Vote"
next

Set objHTTP = Nothing
 
MsgBox "Done."

But I don't think the previous version would cause the same type of error you're describing...

[carloboy]

Actually, I tried to tidy up that code before posting it and moved some lines where they shouldn't be. The actual, working script should be:


But I don't think the previous version would cause the same type of error you're describing...

Yeah i believe i found out what the problem was.

Our whole network at work is behind a proxy, so i'm thinking i'm getting that "host cannot be resolved" issue is because objHTTP.open is trying to access the url directly without passing through our proxy.

Reading your previous code, all the URLs were correct so i believe this should work if i try it at home.

[carloboy]

Actually, I tried to tidy up that code before posting it and moved some lines where they shouldn't be. The actual, working script should be:

But I don't think the previous version would cause the same type of error you're describing...

It's working great at home, you rock!

i'll leave it as it is now but i'll ask my admin to change the way it accepts votes.

I see that you're into anime, let me know if you need any ep, any series, im a editor/tlcheck for a few big fansub groups and we have a 20tb archive of anime/jdrama stuff. i'll hook you up, thanks for teaching me something new.