The story of a hungry student with an inquiring mind
I don't know about you, but I love pizza. Especially if it is Papa John's special garlic pizza sticks. Therefore, I was delighted when, after ordering takeaway food, I received the following letter from them:
Papa John's (c) Headline of the survey letter
Free food! I definitely needed to take this survey ...
Interview
Papa John's (c) Survey Closing Page
I completed the survey as a normal person and received a validation code for a free garlic pizza.
But out of curiosity, I took another look at the link. Looks like the GUID parameter was a client ID. Guess what happened when I changed it to something random? A brand new poll popped up with new free pizza sticks.
I could do this forever! But this is not the most efficient use of my time, so let's use some Selenium magic.
The bot
Selenium Webdriver is a browser automation framework that is mainly used for testing. I chose Python as my programming language and decided to try Selenium to create a polling bot.
Installation
First, run
pip install seleniumand pip install fake_useragent. What is user-agent? The MDN documentation defines it as follows:
The User-Agent request header is a string that allows servers and network nodes to identify the application, operating system, vendor, and / or version of the agent that sent the request.
It seemed like a good idea to randomize this header to bypass any possible filtering / blocking mechanism - that's where it comes in
fake_useragent.
In addition, you had to download the ChromeDriver to interact with the Chrome browser.
The code
The basic Selenium setup looks like this (initialization with a random user-agent):
from fake_useragent import UserAgent
from selenium import webdriver
from random import randrange
import time
ua = UserAgent(verify_ssl=False)
user_agent = ua.random
print("USER AGENT: " + user_agent)
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument("user-agent=" + user_agent)
driver = webdriver.Chrome(chrome_options=chrome_options)After randomizing the GUID parameter, the bot opens a web page and starts clicking. I added a second delay between actions so that the page has time to load and to look like a real person.
id = randrange(100000000000000)
url = "https://www.papajohnsfeedback.com/GBR?GUID=" + str(id)
print(url)
driver.get(url)
time.sleep(1)
driver.find_element_by_id('NextButton').click()
time.sleep(1)
driver.find_element_by_id('NextButton').click()
time.sleep(1)
driver.find_element_by_xpath("//div[contains(@class, 'Opt1')]/span").click()
time.sleep(1)Part of the bot script
XPath
XPath is a query language for selecting nodes from an HTML or XML document. For each of the survey questions, I used a real-time XPath testing tool to select the correct nodes that the bot clicks on. Of course, I gave Papa John's 5 stars on all counts.
XPath testing
You're welcome!
Finally, we get the validation code.
Papa John's (c) The final page of the survey
driver.find_element_by_id('NextButton').click()
time.sleep(1)
code = driver.find_element_by_class_name('ValCode').get_attribute("innerHTML").split(' ')[2]Extracting the validation code
Celebration
After half an hour of programming, the python bot was ready. Here's a gist with code, and here's it in action:
Thanks, Papa John's
I entered all the generated codes when calculating in Papa John's shopping cart. And here it is - a potentially endless supply of garlic pizza sticks.
Free pizza for me and great reviews for Papa John's Marketing. Seems like a win-win situation! For this bot, I even had to learn XPath and hone my Selenium skills.
Of course, I didn't order anything. As an honest person, I have notified Papa John's of the vulnerability along with video evidence. As of this writing, they have not responded. But the poll doesn't work anymore, so I think they got the message.
By the way, I could program to order 1000 garlic pizzas from every Papa John's store across the UK and single-handedly drive the Papa John's chain into insanity. Can you imagine the chaos that would be?
I may have done it in a parallel universe.