One Friday evening I sat at my home computer with a cup of black tea, wrote an article and thought about life. The work went on, but by that time the head was beginning to slow down noticeably. And when it was already completely dark outside the window, I decided to send the article to rest until tomorrow, and go to sleep myself. But instead of keeping everything in a draft, as it should be, the sleepy brain on autopilot for some reason published it ...

I understood this not immediately, but only a few minutes later, having come up last to update my profile. The feeling was as if I hadn't turned off the gas in the kitchen and everyone was about to die. I prayed that it could be returned to drafts or at least deleted. By the way, the latter, as it turned out, cannot be done anymore if the material got into a general review. Subsequently spoke on this score with those support, but I was recommended to just accept the failure)

I won't torture - the article eventually returned to the nest successfully - but some kind Samaritan has already managed to put a plus on her. But what is most interesting, despite the fact that the article was no longer on the site, the rating received for it remained in my profile.

This could not but suggest the idea to reproduce the situation on an industrial scale.

Then I just had one invitee, which I decided to share with a friend and at the same time check the theory. Of course, clicking on one article at a time is boring and, all the more, it is not fitting for a self-respecting developer. Moreover, it is not too safe, because there is a risk of just getting caught.

We will automate.

We overhear Habrahabr

We need to get the following methods: creating an article, publishing, voting and hiding an article in drafts.
We will not go through the authorization process, because it is complicated, with a bunch of redirects, and it is enough to just pull out the cookie and pretend rags by the browser.

We will use Charles for Mac as a web proxy. Extremely convenient thing. If you are a developer, then I recommend having it in your gentleman's set. It also allows you to listen to traffic from any device at hand, for example, if you are debugging a mobile application.

Within one session, we successfully obtain all the methods we need.

As it turned out, the same request is responsible for creating, publishing and deleting articles, but with different parameters. You can create a post as a draft or immediately publish it. And it is here that your post in the sandbox, translation or travel publication will be registered. Maybe this will provide an opportunity to circumvent the requirements for publication in the sandbox, but did not check. Most likely, the server will simply deploy home with some funny error.

We check in practice

Already almost celebrating a victory, I make a request to create a post:

params = { :id => '', :post_type => 'simple', :flow => 5, :hubs => [20742], :title => 'test1', :text => 'test1', :tags_string => 'test1' } response = HTTParty.post('https://habrahabr.ru/json/topic/?action=save', headers: headers, body: params) #  id     params[:id] = JSON.parse(response.body)['redirect'].split('/')[2] 

Flow equal to 5 and Hubs equal to 20742 are not random numbers, but quite deliberately selected the least popular stream 'Miscellaneous' and the hub 'Reading Room' to reduce the chance of being caught in a scam.

Nevertheless, Habr for some reason refuses us:

 { "system_errors": [ "  " ] } 

Strange. After all, all parameters are correct, post_type is set and exactly matches the required one, and all fields are in place. We check the request from the proxy - it works. And from the code - an error.

As it turned out after a fun debugging, if the Referer header is missing, then any request to the API drops. Usability at altitude. And one more funny case: no matter what value is specified in the draft field, the publication will still be created by a draft:

Even if it is 0 or even abracadabra.

But if there is no field at all, then the article is already published in the general stream.

Well, created a post, you can vote. Everything is also pretty simple and started the first time:

 vote_headers = { 'Cookie' => HTTP::Cookie.cookie_value(vote_jar.cookies(habr_uri)), 'User-Agent' => 'Mozilla/5.0', 'Referer' => 'https://habrahabr.ru/top/', 'Content-Type' => 'application/x-www-form-urlencoded', 'Accept' => 'application/json' } vote_body = { #   ? 'ti' => params[:id], 'tt' => 2, 'v' => 1 } uri = URI.parse('https://habrahabr.ru/json/vote/') http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true request = Net::HTTP::Post.new(uri.path, vote_headers) request.body = URI.encode_www_form(vote_body) #    puts http.request(request).body 

The request through HTTParty desperately refused to work with the vote, I had to cut it through net / http. Arguments, of course, are not the most spoken in the API, but in general everything is clear: publication id and two magic parameters. Elementary.

Automating

Now all together. We get our cookies through a proxy, first for one account from which we will post, and then for the second from which we will vote.

We start requests consistently one after another and everything, it seems, well. And then I realized that in order to change accounts I had to explicitly log out on the site. But at the same time my session still continued to work from the code. That is, my cookies no one thought to reset on the back end. Habr, somehow it is not good to do this with your users. Not security.

Leave everything as it is, and run the procedure in a loop. We twist without any delay, but on the second iteration we come across a funny mistake with Easter eggs:

 { "system_errors": [ "   !" ] } 

Someone who is older remembers that there used to be such a program “Understand me”, where children chained each other to explain words. And if the two did it the same way, the presenter would say: “Repeat on such and such a player!”. Link to the recording of the game. It seems to me that it says a lot about the age of those who developed Habr.

Gradually increase the delay, and the method of busting find out that the timeout for the creation of posts is 30 seconds. Run the cycle and go to drink favorite ketchup tea.

Let's not be impudent, let's stop at 30 points, having exhausted all Habr's drafts:

122 place, not bad. It remains a bit before the first hundred. And here are the test posts themselves:

As you can see, there is no mention of your activity on the site, no one has seen the posts except yourself, but the rating is also present.

Conclusion

In this uncomplicated way, you can quietly wind up a rating to your friend.

Perhaps Habra should put a limit on several publications per day so that this feature is not abused. And I would still do a session reset at logout.

Thanks for attention.

PS Do not ban me, please. Ban it - sp1nfox , this is his rating wind up.

UPD: Bana was avoided, and the hole was patched by entering a limit on the number of posts per day. Thanks to the team Habr and Boomburum for efficiency!
UPD2: Limit 3 posts per day.