SeatGeek application

I was going over the HN March Who’s Hiring post, looking for internships, when I clicked on SeatGeek’s web engineer post.

I found this in the left column:

For bonus points, you can apply by hacking into our backend jobs admin panel and submitting your resume here: http://apply.seatgeek.com/

I checked out the link and the related blog post. This was awesome. The first message:

This page must be viewed from the SeatGeek browser

This was easy, changed my user agent to SeatGeek in the Chrome Developer Tools’ settings. We have the New Applicant Form with a note 

Note: only ‘admin’ users may submit new applicants 

Submitting the form leads to a blank page.

Had to look into the source. Ah! A hidden input field ’_csrf’ with the value 'this is required (and this value is incorrect)’. Changing the value to admin was a dumb move. Should be a csrf token, some kind of hash value.

Next thing checked the resources tab. A cookie with the name sg.session and a value with admin and csrf.token as substring.

 urlllib.unquote(cookie_value) on a python prompt gives

’{“admin”:0,“csrf.token”:“XcfT7I4tqPM9vBbAb/esyW0mxMVJbBXqda8VjstXaZA=”}’

submitting with csrf.token value in _csrf gives an error:

You must submit as an 'admin’

Modify the cookie to 

’{“admin”:1,“csrf.token”:“XcfT7I4tqPM9vBbAb/esyW0mxMVJbBXqda8VjstXaZA=”}’

and quote it back. Submitting with modified cookie and csrf token value gives:

  • Akshit Khurana created successfully

Thank you for submitting a new applicant, they will be contacted shortly.

I am looking forward to hearing from them. This was an exciting, had fun applying.