Exploiting Price Matching Through JavaScript Injection
by Sigma
In today's world of retail shopping, finding a good price for an item usually involves the use of scissors and a large stack of Sunday newspaper ads.
We all obsessively follow deals to find the most opportune time to swoop in and buy what we want before the sale ends and the price returns to normal. But for many out there who have better things to do with their time, what else can be done? It is part of the hacker mentality not just to wait for the right situation in order to strike, but to modify the situation to suit your needs.
The Concept
Price-matching is a wonderful concept that can be invoked when making a purchase.
When paying for an item, one can present something to the cashier, such as a competitor's flyer, that advertises the item at a lower price. The cashier will type in the new, cheaper price and ring it up. This gives a person the ability to take advantage of any one store's sale at any other store. Stores will adhere to this because they don't want customers to go to a competitor's store, so they swallow their pride and honor the discount.
Casing the Joint
One day, I walk into a Best Buy that is located in a mall near my house.
While perusing through the aisles, I spot my target.
It's a Western Digital 320 GB My Passport Essential External HDD. Not only is it a beautiful piece of hardware, but I need it because my computer's drive is almost full. I could just go and buy it, but I notice that the current price is $169.99! There is no way that I am paying that much.
I inquire about Best Buy's price matching policy, and the employee says that they will match any major retailer's price on a flyer or webpage printout that is not more than a week old. After returning home and looking through some ads, I find that the lowest anybody is selling the drive for, Best Buy included, is $129.99. Although this is a much better deal than before, it is still not low enough for my taste. So I ponder my next course of action for a couple of days and eventually craft an alternate solution.
Another Concept
JavaScript has a handy little feature called the HTML DOM.
This stands for the Hypertext Markup Language Document Object Model, and it is used to allow JavaScript code to interact with element tags on a webpage.
Ever notice how those fancy lightboxes expand to fit their content when you click a picture? Those smooth growth actions are provided by the HTML DOM in JavaScript. On the opposite end of the spectrum is JavaScript Injection. Quite easy to do, and potentially powerful, JavaScript Injection allows you to execute arbitrary JavaScript code on any webpage.
One of the simplest examples is to type:
into the URL bar on any page. A pop-up containing this classic message should appear. JavaScript Injection can also make use of the HTML DOM to modify the content of a webpage, as you will soon see.
The Process
I do some searches with Google and navigate my browser (I will be using Firefox 3 for all examples, but this also works with Internet Explorer) to a page from Walmart containing the drive I want to purchase.
I find the price in the page and right-click -> "View Selection Source". The HTML used to generate that item then pops-up, and it looks like this:
I note that the price is in a <span> element. Now, in any webpage there are many different tags and many are <span> elements. This is where the DOM comes in handy.
I type the following into the URL field:
Let me break this down:
1.) javascript: This indicates that we'll be giving some JavaScript code to the browser, as opposed to a URL with: http:// or ftp://
2.) x=document.getElementsByTagName("span"); Here we are assigning the variable x an array, or list, of all the span elements on the page.
3.) for(n=0;n<x.length;n++){} This is a standard for loop that will be used to examine every element of the array contained in x.
4.) alert(n+"="+x[n].innerHTML); This will generate a pop-up for each element in x. It will display the innerHTML, or the HTML contained within the <span> tag.
When I hit Enter, there was a series of pop-ups containing the number and content of each <span> tag. I took notice of when the pop-up displayed the current price for the HDD and noted the number. On this page, the <span> tag that held the price was 23rd out of 75.
Now, knowing the number of the tag I want to modify, I type something like this into the URL field:
New parts broken down again:
1.) x[23].innerHTML=prompt("Enter new text:",""); This takes the 23rd element stored in x and opens up a pop-up box that allows you to type in the new text to display in the span tag.
2.) alert(); This prevents the browser from redirecting to a blank page when the code is done.
If done correctly, whatever text is typed into the prompt should appear on the page where the old text (or price) used to be.
On my page, I typed $59.88 into the prompt, and that was displayed as the new price. Now that the text of a webpage has been successfully modified, the real con can begin.
Finishing the Job
After injecting the new content into the page, I printed it out along with a couple of pages from other sites.
Then I drove down to Best Buy, picked the HDD off the shelf, and got in line.
When it was my turn, I asked the cashier if they did price-matching (to act clueless); he said yes and proceeded to ring me up as I presented him with the print-outs.
He glanced at the 10pt font and typed in the new price. He had to call over a floor manager or something to enter his bypass code to allow the sale at the new price. (He just zipped his finger across the keyboard like he does this all day, something like "12345" probably.)
Anyway, the cashier handed me back the print-outs and my new HDD in a bag and said to have a nice day.
Analysis
I remember my first thought being "that was way too easy."
He just glanced at the sheets and handed me my item. Why was this so easy?
I suppose it was that when people think of websites getting "hacked" (This is in no way a hack, but rather a little trick), they think of defacement and identity theft.
No one expects that someone would forge the contents of a page to cheat a store.
The employees are so busy trying to get the sale that, given the rapid fluctuation in electronics pricing, they ignore the possibility of exploitation. Although you don't get anything for free, I was still able to save a good 110 dollars.
In the end, this is a really light and fast way to save some cash using the hacker mentality.
Props to Jacob P. Silvia (JavaScript Password DOMination) and A5an0 (JavaScript Injection) for similar articles that I found after writing this.
The information in this article is for lulz and to be used for educational purposes only. Do not try to buy a laptop for $5.99, some common sense still applies. Batteries not included, some assembly required.
Happy hacking!