Can a hacker prevent access to a form and submit before anyone else?

[codingcall]

Hi friends,

I am trying to help a friend avoid a really serious problem in their website. Here is the scenario:

They open an access for admission form at 9:00am in certain days. After they close admission, they chose the first person who filled the form and award them the admission.

My question is: Is it possible for a hacker or a technically knowledgeable person to prevent access for others for a few seconds and submit his/her request before anyone else?

I have tried the form in the specific time. There is a countdown until the form shows up, and then a server error occurs for a few seconds before the form shows up. I was thinking this is maybe because of too many requests, but the number of users who visit the website is not more than a thousands people.

Anyone has any idea if manipulation could take place in such a case?

Thanks a lot,

[theli0nheart]

This is a problem you’ll never solve. Your friend should change the admissions criteria.

As another commenter suggested, if I truly wanted to prevent anyone from abusing the system, I’d take all submissions within the first N minutes and pick a random entry from that entire sample. Instead of trying to solve the original problem, prevent it entirely.

[codingcall]

This is something to seriously consider. Thanks for your suggestion and feedback

[Leparamour]

Your request sounds suspiciously like you're actually the hacker and want to get an edge over competitors in ordering limited editions 'hype' sneakers or scalping graphics cards or similar.

"Hi friends,

my teacher gave me the homework to hack the school's website and the instagram account of a girl in my class. How do?"

If this is in fact an honest request, then set up some dDoS protection (cloudflare) and go with the random pick route (raffle) and don't forget to seed the RNG somehow.

[codingcall]

I am sorry I sounded suspicious, but it is what I said it was except it is not admission. It is some kind of a special program enrolment (First come, first serve). I am not the hacker or an applicant; I am just trying to give them the best professional advice I can.

I have thought of cloudflare and it is in the top of my recommendations. So far, the random pick is the most feasible solution. Thanks for your feedback

[pitched]

A Denial of Service attack (flood the server with requests) might look like that. What I would do instead though, is have the form pre-filled and scripted to submit the moment it’s live. That might be done with curl/Python/etc to skip the browser render too. If so, it might also inadvertently look like DOS if they forgot to put a delay between attempts.

[codingcall]

Interesting. I did not know you can do that. Thanks a lot for this piece of information about scripting the form and submit before browser renders. I will look into that as well.

[kazinator]

1. Allow only submissions from authenticated sessions, disallowing duplicates: each user's account gets one submission attempt per day.

2. Include a hidden nonce in the submission form whose value must be correctly. Thus the attacker cannot just blindly send a submission on the strike of 9:00; the attacker has to obtain something from your server which is only available at 9:00 or later: the form markup containing the correct nonce, unique to their session.

3. Include a question in the form that must be correctly answered, but is likely hard to do for a robot. Of course, the question is different everyday.

[aliasEli]

A better idea would be to choose a random submission from a larger number of submissions. This would prevent most attacks. Any duplicate submissions should be flagged and there should be a penalty for users that submit them.

[codingcall]

Most likely I will put this as my first recommendation. Thanks for your insights and response.

[is_true]

Me, a user with shitty internet -> =(

[yellow_lead]

I don't think there's a reasonably possible way that meets both criteria (reject others and allow me) aside from hacking the server altogether.

What someone might do, as others suggested, is script it. They could also try to geolocate themselves closely to the webserver (by renting a VPS nearby maybe). The server error could be from someone's script. It doesn't take much to cause 500 errors if clients are not ratelimited. Tell him to add ratelimiting.

[codingcall]

Thank you, the developer behind the website had know idea about ratelimiting, and myself thought this is only use with an api. I will look into that, but do you really think if someone is geographically close to the server that they have a better advantage to those coming from other countries? I mean this could be one of the things to consider in order to give an equal chance for all applicants.

Thanks again