Wednesday, March 11, 2009

Colbert vs. Xenu

It's been a long time since I've posted (spring break is soon, so there should be a flood of posts), but I just wanted to add my two bits to a current hot topic: Colbert vs. Xenu.

It all began when NASA decided that it was going to open up voting to the public for choosing the name of Node 3 on the ISS. Many /b/tards and wanna-/b/tards caught hold of this, and XENU quickly rose tot he top of the list of Top 10 Suggestions.

On March 3, 2009, Stephen Colbert said this on his show:

Link (click it now)

Then, on March 4:

Link (click this one too)

Later that day, Anonymous responded:



And so the battle begins. Personally, I support Colbert, but only because I feel like I'd rather have someone win for a humorous purpose than for a humorous purpose at others' expense. (Remember, even though I hate the Co$, the people still inside the Co$ could easily be hurt by this.)

Regardless of what you support, there is an easier way to vote. Apparently NASA didn't think too hard about the voting system, as it seems to simply be a form which sends a string to a server.

I'm going to set this up for Colbert. If you're a die-hard fan of Xenu, you're probably tech-savvy enough to replace the name of a faux-conservative talk show host with that of an intergalactic overlord.

The key link is here:

http://comments-submit.nasa.gov/commenting1/Comment.do?location=http://polls.nasa.gov/voteform.html&siteID=245486071&username=guest&email=guest@dummy.com&comment=Colbert

After you type in your suggestion for Node 3's name on NASA's website, this box is what pops up, with a word verification CAPTCHA.

Unfortunately, someone made a rather large mistake when they put together the voting form, because it turns out that the CAPTCHA can be by-passed.

If you open up the vote verification page's source code, you see that the variables in the URL are actually part of a form document named "document.frmcomments". If you know some Javascript, you should find it rather easy to follow the source code and discover that the submission process of the form is only based on the passing of an "if" clause.


if (data==1) {
document.getElementById("imageResp").innerHTML="Word Verification Matched.";
alert ("Word Verification Matched. Comment Submitted");
document.frmcomments.submit();

}


The NASA programmer behind this voting program forgot to install a second verification that the user actually entered the CAPTCHA! Therefore, we can skip entering the CAPTCHA over and over again, and simply enter the following code into the address bar:

javascript:document.frmcomments.submit();

We can verify that it accepted this code two ways: one, it didn't bounce an error message (as it does when you simply click the SUBMIT button), and two, it brought us to the URL which it brings you to after you complete the word verification normally.

[Disclaimer: THIS INFORMATION IS FOR EDUCATIONAL PURPOSES ONLY. Please don't actively try to ruin or tamper with the poll.]

3 comments:

Rosemary Welch said...

Pretty cool. I almost said something to my peeps, but then I read what you were actually doing and why. It's not nice to cheat. It's also not good to be stupid. Who wrote that javascript? My goodness. Who the heck is running Washington (and by extention, NASA)? lol. Have a great day.

Rissa said...

Worst. Javascript. EVER. NASA don't deserve a fair contest if this is the best they can do ;-D

(Posting this comment, I just realised Blogger has a more secure system than NASA. I am now officially worried about our astronauts.)

scikidus said...

Wow, my first two comments. I know it's considered bad form to comment on your own posts, but since "bad form" could easily be the name of this blog...

Rosemary: I can't figure out if your post is a hint at what I should be doing or a punishment for I'm already doing. Either way, I get your point: see my latest post.

Rissa: I actually came across a programmer name or two while compiling this post, but I didn't want to invade privacy through obscurity like that. Still, I'm amazed that NASA doesn't use something like Re-CAPTCHA: their current CAPTCHA type has been broken for years.