I found this in the left column:
For bonus points, you can apply by hacking into our backend jobs admin panel and submitting your resume here: http://apply.seatgeek.com/
I checked out the link and the related blog post. This was awesome. The first message:
This page must be viewed from the SeatGeek browser
This was easy, changed my user agent to SeatGeek in the Chrome Developer Tools’ settings. We have the New Applicant Form with a note
Note: only ‘admin’ users may submit new applicants
Submitting the form leads to a blank page.
Had to look into the source. Ah! A hidden input field ’_csrf’ with the value 'this is required (and this value is incorrect)’. Changing the value to admin was a dumb move. Should be a csrf token, some kind of hash value.
Next thing checked the resources tab. A cookie with the name sg.session and a value with admin and csrf.token as substring.
urlllib.unquote(cookie_value) on a python prompt gives
submitting with csrf.token value in _csrf gives an error:
You must submit as an 'admin’
Modify the cookie to
and quote it back. Submitting with modified cookie and csrf token value gives:
Thank you for submitting a new applicant, they will be contacted shortly.
I am looking forward to hearing from them. This was an exciting, had fun applying.