Open your favourite Internet browser. I prefer Firefox but I hold nothing against IE whatsoever, there is a reason why it shares the vast majority of the market. Click the address bar or just press Alt+D and type in:

and later

I am not a hacker but I do share with them the joy to research and learn. Recently, however, I had to go savage and do a little hack in order to bypass a really weak free online poll system with a very moronic security attitude. The moment I was told to go there I made the first and valid vote and checked the cookies. In Firefox is Tools->Options->Privacy->Show Cookies immediately I realized the site used cookies to authenticate users because the cookie key/value pair had the very suggestive name DoVoted = OK, in other words to prevent voting multiple times in the system a cookie was used and set to expire after an hour or so. So lame. A slightly more robust system would’ve relied on IP addresses to prevent users to vote multiple times, at least from the same computer. So in order to actually proving my theory I erased my private data, including cookies, and voted again. It worked! I had fooled the system, only to realize an hour later that some other people found about this too. They must have had a trained group of fools erasing cookies and voting because their counter went really fast and peaked over a 1000 in no time. In order to simplify things and learn a little from this boring experience I had to research on Javascript code injection and I managed to come up with a much more hacker worthy approach.

Basically, I went to the page and voted. This action saved my choice in the HTML form that used the POST method to send the information to a PHP script that handled the database I/O. If I clicked the refresh button this information would be sent over through the POST method again, but of course, the purpose of the cookie was to avoid this adding another vote. So by erasing cookies and refreshing I had my algorithm. I had the plan, now I needed the code.

Nevertheless, there was a catch on all this. Whether you use IE or Firefox (I assume other browsers as well) whenever you refreshed, the infamous resending postdata dialog would present itself to take care of you in case you were sending delicate information like a credit card / eCommerce transaction data. Don’t get fooled by that link explaining how to get rid of it, it is not within the context of the problem. Anyway, no matter how hard I tried I couldn’t find any information on how remove it except for a very fresh guy explaining the only possible solution (it’s true, I’m almost convinced it is impossible to do it) was to directly modify the Firefox source code (which is easily obtainable though) and recompile (which is easily your worst nightmare though). I must say I didn’t stop there. I kept trying and thought a solution would be an external application, C++ Windows API console program that would lay there systematically checking for this dialog calling FindWindow() and in case of success post a WM_QUIT to its message queue. But I just didn’t have more time.

Anyway, having my two step way to success in place, I knew I’d still have to click the OK button for the crappy resending postdata dialog but that was better than nothing. The code turned out to be extremely easy. I do had to tweak a lot with the code for erasing the cookie but it was fine. This was the code:

Yes, all in one line. The final part refreshes the document. The first part erases the cookie. To erase is simply to set the expiration date to the past, that thing of DoVoted_252032=; indeed, setting the name to nothing was meaningless (but looked professional) because what matters is the expiration date. I do needed to know the name of the cookie, which I picked up earlier in the Firefox cookies viewer. Also note the cryptic format of the string, you can do only little about it, but that is for another time. And finally note that to set/erase a cookie you change the value of the document.cookie property which can be set to a string.

Have fun with Javascript code injection, Google that sentence and you are likely to hit hundreds of useful resources.