This is me, writing a script to enumerate parameters for a POST request to gov.tr, sitting in front of the border to Croatia.
History in brief
My wife and I travel the world and work remotely. We recently moved from Turkey to Croatia (the best point to visit Europe). In order not to go into quarantine in Croatia, you need to have a certificate of a negative covid test made no later than 48 hours before entry.
We found out that it is relatively profitable (2500 rubles) and quickly (all results come within 5 hours) to take a test at the Istanbul airport, from which we just flew out.
We arrived at the airport 7 hours before departure, found a test point. They do everything chaotically: you come up, give your passport, pay, you get 2 stickers with a barcode, you go to the mobile laboratory, where they take one of these stickers from you to identify your analysis. After you leave, and they tell you: go to this site: , drive in your barcode and the last 4 digits of your passport, after a while there will be a result.
But if you enter data immediately after passing the analysis, the page gives an error.
Even then, thoughts about the “beautiful” UX crept into my head, in which, with any mistake of the operator who drove in the passport data, there is no way to find out your result.
Before departure
The departure time comes, I enter my data and see that the documents for them are already there, although there is no test result yet.
It is even clear that the tests arrived at the laboratory 1.5 hours ago. But my wife's data entry still gives an error that the entry was not found. And most importantly, you won’t be able to just go and ask what’s wrong, because. We passed the test in the zone before passport control.
When boarding the flight, we were asked for test results, but, fortunately, we were able to convince the airport representative that they would soon appear (showed them the barcodes), and, as a last resort, we would go into quarantine.
As soon as I got on the plane, my code showed that I had a negative test.
Upon arrival
And this is where the fun begins! As soon as we flew in and connected to the local WiFi, it turned out that my wife's record was not in the database. And at the border itself, the documents were approached very carefully: the border guard took a test for coronavirus and took it to a separate room to check its reality. We decided that we would tell our trust story as it is and find out what options we have.
While we were standing in line, I decided to check for correct (my) and incorrect data, how the validation page reacts.
It turned out that she sends a post request to , with the following parameters:
barcodeNo=XX
kimlikNo=YY
kimlikTipi=2
where barcodeNo – barcode number, kimlikNo - passport ID, kimlik Tipi – fixed parameter equal to 2 (if only the first two fields are filled in). No tokens were visible. The request returned 1 for the correct parameters (my data), and 0 for the incorrect ones.
From the postman, I tried to sort through 40 combinations (suddenly an error of one character), but nothing came of it.
At that moment, we approached the border guard, he listened to our story and suggested quarantine. But we clearly did not want to sit in the apartment for 14 days, so we asked to wait a bit in the transit zone in order to try to sort out the problem in a couple of hours. The border guard entered our position, went to see if we could sit in the white zone, and, with the consent of the head, said: “okay, just a couple of hours.”
I started looking for the phones of those who did the crown test, and in parallel decided to test a crazy hypothesis: if this system has such a terrible UX, then the security system should not be good, even though the gov.tr domain.
As a result, while sitting on calls, I wrote a small script that sorted through all the numbers from 0000 to 9999 in the kimlikNo field. barkodNo we had on a sticker, so it couldn't be wrong.
Imagine my surprise when even after 500 continuous requests I wasn't banned and the script kept running at 20 requests per second from the airport WiFi.
Calls did not give much success: I was redirected from one department to another. But very soon the script gave the coveted value 6505, which was not at all like the real 4 digits of the passport.
After uploading the document, it turned out that it was clearly not my wife’s passport (Russian foreigners do not even have such numbers), but all other data (including first name, last name and date of birth) are correct.
The most interesting thing is that the barcodes are also not random, but go almost one by one. Thus, in theory, I could find contacts who got my wife's passport number, and in general, smoothly pump out other people's private data.
But it was 9 am and a night without sleep, I was late for an online meeting and was glad that they let us in without quarantine, so I just started my journey around Europe.
Source: habr.com