Tuesday, 6 October 2020

Cheat MateQuiz

MateQuiz is a site that allows you to create a quiz and challenge your friend's knowledge about you. This site's advantage is it does not require Facebook connection before creating a new quiz / submitting an answer.

For educational purposes only.

This is a sample quiz link.

1. Analysing.

At the first glance, this site seems legit to me. It allows the user to create 9 questions with at most 9 answers each. I thought this site is using the front-end JavaScript to process the data, then the back-end will grade the result since I can't found anything related to the result inside the source code. 

But after looking deeper into the site's source, I realised that they are calling a JavaScript function directly to do something related to the result (using onmousedown event):


Hence, just type that function's name to the console and you got that function's definition! Right-click to the definition inside the console and choose the Show function definition option. This is the result:


Now notice line 128: the logical checks load the correctAnswers from the same name cookie. Then at line 135-136 is the grading procedure, just simply checking if the user's answer is the same as the correct answer stored inside the cookie. I doubted that answer stored inside the cookie is a string since they are using charAt() to locate it, so I did a small check and, bingo.


We got the correct answer string! (e.g the first letter at position 1 is '3' means the answer to the 1st question is option no.3 from the top).

So in conclusion, this is how the local grades the result:

  1. When the page is loaded, the browser loads answers and save it to a local cookie value.
  2. When users choose an option (notice that buttons are using the onmousedown method, which captures both left and right mouse click).
  3. Browser check if the answer correct by comparing the options user has chosen with the correct answer in the cookie.
  4. The result is saved back to a cookie named answers. This cookie later will be used as the final answers of the user (i.e what user have chosen) and then be posted back to the server for archive.

That's how the magic works. Now let's create some magical cheating scenarios:

2. Modus operandi

At the time of writing, I've not dug deeper in how the browser posts the data records back to the server. So these scenarios are on local (but of course, affect the final result). I'll introduce you 2 ways to cheat: by automated clicking those answers and by changing the correct answers.

To operate it, copy codes provided and paste it into the Developer Tools console.

a. Changing the cookies.

Knowing that results are saved to the cookies, we can change the cookies so every-answer-is-first-option. We'll use functions defined by the game: eraseCookie and createCookie:

  • Using eraseCookie() function to delete `correctAnswers` cookie
  • Using createCookie() function to create a new `correctAnswers` cookie, which is just a string of '1' (or any answers that you want it to be).

Code (JavaScript).

b. Don't change the cookies, click the result only.

This method is easier to use. We'll use the original answer cookies, the i-th question's answer is the character at position i + 1 of the result string. Knowing this (and of course, this came from the source code) you can answer correctly using the result (i.e just like you have the answer in a test, just look at it and copy to the answer sheet).

  • Using readCookie() function to get the answers.
  • Parse answers to a loop and using MateQuiz's built-in function answerQuestion (mentioned above) to answer.

This seems easier than the previous method but of course, requires more codes.

Code (JavaScript).

3. PoC

Hwang S. Wan from Không Sợ Mèo created a PoC video to show how cheat codes work:

4. Final

Notice this is for educational purpose only.

Happy coding!

No comments:

Post a Comment

Popular posts