Hmmm, clicking submit and going to a page to "post" a current total is web programming circa 1995. Today we use things like http xml requests to post directly to the server, and relational databases to store data.
It's not a "post" its a http "get" request they use onSubmit of those forms. Welcome to espn's corporate run site, most likely run by a jock sniffing boys club and a few eyecandy types that are hoping to jump on air before their looks go.
Becase the web is stateless, that "current total" we send to the server has to be stored somewhere right? Not just some text file w/ a counter that goes up I promise you that. I assure you, they don't store the total.
The raw data they were supplying the map flash application in the previous poll:
&AL1=55&AL2=45&ALTotal=875&AK1=36&AK2=64&AKTotal=45&AZ1=48&AZ2=52&AZTotal=860&AR1=45&AR2=55&ARTotal=289&CA1=52&CA2=48&CATotal=2657&CO1=49&CO2=51&COTotal=1359&CT1=58&CT2=42&CTTotal=380&DE1=57&DE2=43&DETotal=65&FL1=63&FL2=37&FLTotal=3017&GA1=55&GA2=45&GATotal=2171&HI1=66&HI2=34&HITotal=99&ID1=47&ID2=53&IDTotal=142&IL1=49&IL2=51&ILTotal=2493&IN1=55&IN2=45&INTotal=1149&IA1=42&IA2=58&IATotal=628&KS1=31&KS2=69&KSTotal=753&KY1=66&KY2=34&KYTotal=476&LA1=47&LA2=53&LATotal=1026&ME1=60&ME2=40&METotal=50&MD1=60&MD2=40&MDTotal=562&MA1=61&MA2=39&MATotal=573&MI1=43&MI2=57&MITotal=2910&MN1=45&MN2=55&MNTotal=751&MS1=60&MS2=40&MSTotal=215&MO1=39&MO2=61&MOTotal=992&MT1=49&MT2=51&MTTotal=87&NE1=5&NE2=95&NETotal=5249&NV1=55&NV2=45&NVTotal=242&NH1=63&NH2=37&NHTotal=71&NJ1=61&NJ2=39&NJTotal=869&NM1=46&NM2=54&NMTotal=136&NY1=64&NY2=36&NYTotal=1421&NC1=62&NC2=38&NCTotal=1182&ND1=53&ND2=47&NDTotal=85&OH1=89&OH2=11&OHTotal=8266&OK1=47&OK2=53&OKTotal=838&OR1=56&OR2=44&ORTotal=444&PA1=62&PA2=38&PATotal=1658&RI1=63&RI2=37&RITotal=97&SC1=55&SC2=45&SCTotal=979&SD1=24&SD2=76&SDTotal=249&TN1=51&TN2=49&TNTotal=1197&TX1=53&TX2=47&TXTotal=2889&UT1=52&UT2=48&UTTotal=309&VT1=57&VT2=43&VTTotal=23&VA1=57&VA2=43&VATotal=1045&WA1=52&WA2=48&WATotal=643&WV1=57&WV2=43&WVTotal=248&WI1=44&WI2=56&WITotal=872&WY1=19&WY2=81&WYTotal=127&DC1=55&DC2=45&DCTotal=762&INT1=17&INT2=83&INTTotal=53210
So while I am sure that at some point it hits a dbms, it really doesn't matter how they store it. You can also see where any request that had striped off their site analysis and geo-location cookies went... The else pile.
There are individual session responses stored with other attributes of the poster (like location determined from IP, browser details, etc). So, you COULD manipulate the site with cross site scripting w/ little work, or simply do a SQL injection inserting a boatloat of sessions. You could also hack the SQL DB and manipulate it that way.
You are making things a lot more complicated then they need to be. Not only that but espn doesn't do its own geolocation/user tracking, they use an adobe site analysis tool for that. Plus all that stuff is done with JavaScript and not on the back end. They don't store that data in anything themselves, at least not poll related.
Also SQL injection is "hack(ing)" the SQL database, and if you got that far to where you could actually just insert data into a dbms you sure heck wouldn't be wasting time with "sessions".
I'd add another possibility, you could just basically macro a browser, or emulate enough of one, and have it send pretty much the same requests a human run browser does when you click submit.
To get 16,000 responses all at once - when the total hadn't increased in that much over the previous 6 days - it's not some fan sitting in the dark deleting his cookies and refreshing. It's a nerd creating a response object for that particular address, then manipulating the object to form a post w/ the correct response. Same thing that happens when you screen scrape. Either that or one of the other above suggested methods. It's not difficult, but hacking is certainly a possibility. To dismiss it would mean the person simply has no knowledge of how the internet or websites work.
Nobody got 16,000 responses all at once. It was ~20,000 over around 6 hours. To dismiss "hacking" means that I know that emulating a browser submit was how it was done and that anyone suggesting that you need any other fancy web hacking wizardry like SQL injections or Cross site scripting is letting their imaginations run wild. Especially when simply sending the same get requests as espn's flash forms generate is much much easier and much less illegal.
Non-working script example:
Code:
for ($x = 0; $x < 10000; $x++)
{
$vote = 'http://url';
$r = $u->get($vote);
if ( $x % 100 == 0 && $x != 0)
{
print $x." votes sent";
}
}
So anyways anyone who suggests that it was "hacking" is wrong, period. I modified a script I had written years ago when ESPN did "the greatest coaches of all time" and that poll turned into a "macro your browsers" competition with Alabama fans between Osborne and Bryant. I still think this poll is a stupid ad for a usually bad EA sports game, but well I was bored, and had been meaning to play with that script for a few years now. So when this turned into a silly school pride competition complete with 2000 post long comment sections of really stupid people repeating the same arguments and trashing each-other for hours on end, it was just too funny an opportunity for amusement to pass up. I guess I did it for the Lulz.
