Searching Government Quiz Sites for Hidden Answers

by Brenden Hyde

TL;DR: Some websites hide the answers to quizzes in their JavaScript code.

Read on to see how you can find them!

Introduction

Recently, I was working on producing some toys in China and importing them to the U.S.

Because I was importing them myself, I would be responsible for paying the import tariffs.  I wasn't familiar with how tariffs worked, so I went to the source: the website for "The Harmonized Tariff Schedule of the United States."

This tome of PDF files from the U.S. International Trade Commission can be a bit daunting (and boring!) to read.  For a taste of this, consider Section VIII which regulates the import of, among other things, "Articles of Animal Gut (Other than Silkworm Gut)."  I was going to need some help.

Luckily, the site offers some guidance in the form of mini-training courses that include quizzes.

The courses are free, they don't require a login, and the stakes are low; you can reattempt them without limit.  I noticed that with each quiz answer I submitted, I was greeted by a JavaScript alert() window - you know, those annoying pop-ups that fell out of fashion 15 years ago - telling me if I was right or wrong.

The responses were instantaneous.  The speedy responses got me thinking that there must not be any client-server interaction going on.  And if the quiz wasn't reaching out to a server, then they must be storing the answers locally.

"The calls are coming from inside your browser.  Get out of your browser!"- Nobody.

Scouring the Website's Code

I decided to use my browser's "Developer Tools" to snoop around the site's code.

In Mozilla Firefox, you can open the "Inspect Element" tool with the keyboard shortcut Ctrl+Shift+C (Linux or Windows) or Cmd+Shift+C (macOS X).

This opens the browser's Developer Tools in a mode that lets you identify the code that makes each component of the page.  Each element that you hover your mouse over reveals the corresponding HTML, CSS, and JavaScript that comprise it.  I clicked on the area that had all four answers to the multiple-choice question I was on.

The question and answers looked like this:

Knowledge Check

Which U. S. Government agency officially determines the classification of imported goods?

  A. United States International Trade Commission
  B. U. S. Customs and Border Protection
  C. The Department of State
  D. The Department of Commerce

In the Developer Tools, right above all the HTML that made up the answers, I saw a <script> tag.  HTML <script> tags contain embedded JavaScript functions that can change the way the page looks, add or remove content, store some text, and much more.

It seemed like a prime candidate for storing the quiz's answers.

I clicked on the little triangle that expands the script element so I could see its contents.  Along with a simple answer-checking function, I noticed this array declaration:

var EQA = new Array(0);
EQA[0]="Incorrect. The United States Customs and Border Protection officially determines classification.";
EQA[1]="Correct. The United States Customs and Border Protection officially determines classification.";

As you can see, it pretty clearly spells out the answer, falling just short of actually telling you which letter is right (hint: it's "B").

As I nexted my way through the test, I found that every page had the same format and the same <script> tag containing the answer.

Who Cares?

At this point, you may be thinking, "O.K., you found some answers to an easy, optional test!  Who cares?"  While it's true that this quiz had low stakes, it is far from the only computerized exam you might take in your life.

Paper tests are all but extinct these days, and not every organization has sound coding practices.  Given the current administration's penchant for defunding or underfunding essential government entities, it's not too hard to imagine tests for, say, EPA certifications or drivers' licenses falling victim to the same insecure design and subsequent exploitation.

If nothing else, findings like these should serve as a reminder to web designers and developers: store important data on the server in a secure way, make the client request it as needed, and don't cut corners.

Conclusion/Takeaways

So the next time you are taking an optional test on a site that feels less than modern, consider using your browser's Developer Tools to dig into the JavaScript and see what kind of goodies you can uncover.

The site just might be constructed in an insecure way.

Warning:  Don't do this on tests that actually matter.  It's wiser to actually study, and cheating is wrong in almost all cases.  This is doubly true for government websites where digging too deeply could constitute, or be construed as, a crime.
Return to $2600 Index