How are they doing this!!!

[mattyb311]

I am in a football pool where you pick against a spread every week. My friend is a big nerd and cheats so bad. Somehow he changed his picks AFTER they were locked and unchangeable. I mean I know how to change things with Firebug but obviously that does not save. How is he able to edit and save the page source?

[WallShadow]

First off, welcome to HTS!

Second, please give move information about the game like; what language is it programmed in? Do you play it in your browser or just window? Any more information you can give only serves to help us.

There are loads of ways to hack a game, we need to know how the game works to see which hacks are applicable to it.

- WallShadow <3

[anarchy420x]

Do you have a link that we can check out?

[mattyb311]

So as you can see the pick is locked from last nights game. The other shows current week standings. At game time the pick is locked in. He was able to get in there during the game and change Oakland to Denver. Like I said I know how to do it with Firebug, but obviously it doesnt stay for public to see. I would give you site to look at but its a special pool where you are given a password in order to view the page.

[weekend hacker]

I'm guessing those buttons are what you click to set your pick with blue buttons being what you picked already?
Look at the form those buttons are in. The script probably disables buttons during a game so you cannot "click it", however, if it probably fails to check at the backend if its allowed to make a setting during game time. (OR, if thats not how he does it there may be an sqli vuln in there somewhere, probably not checking if the id's of the pick are ints)
Look at the form those buttons are in, there will be data to identify which button is which like a name or an id, or hidden data, or submit value or something like that(all depending on if its a separate form per pick or one huge form with the value being in the button itself). Then check the disabled button and find what changed to disabled it. There are 2 options here, either it just set them to disabled or totally removed the values identifying them which effectively disables them. In the first case, enable them again with firebug and then click. In the second case, write down the values before game time, fill them in during game time and click to change your pick. Possible alternative, open the page before game time, keep it open, and click during game time. It'll all depend on how its made. But if your friend is able to change his picks this is probably how he does it. (or since theres also a save button, I guess the buttons are a type of checkbox/radiobutton, in which case the same as above applies but with checkbox/radiobutton values or id's and not button values)

[mattyb311]

I wish I knew more about computers and could figure out how to test what you just told me lol.

[fashizzlepop]

Read up on HTML. Specifically forms and some of the keywords weekend mentioned like "radio buttons" and "id" and "value". These are all parts of building a form in html.