Using Javascript to Bypass Scalpers

Nathan Rutherford - 27 Feb 2021

If you are anything like me and enjoy the occasional flight simulator like space truck simulator, then you may have heard of the VKB series of FlightSim products. They have a reputation in the community for producing high-quality and aesthetically pleasing flightsticks, which makes them a widely sought after peripheral. The result is a disproportional supply to an ever increasing demand, often leaving these peripherals out-of-stock with players waiting patiently for the restock notification. Of course, this creates the ideal conditions for scalpers to swoop in with their bots and buy out the entire stock of these devices, hoping to sell them at a hefty premium.

Such was the case on the 24th of February 2021, when the long awaited restock notification arrived. Quite predictably, many rushed to place an order for one of the VKB NXT sticks, however, the scalpers already had their bots in operation. This influx of visitors led to a Denial of Service for everyone on the site, with many suspecting the source being a large number of scalper bots.

502 Error on VKB European Store

The error returned is 502, which typically means that the server is running out of memory due to having to handle a large number of active connections. If I continually try to connect to the server (via refreshing), eventually I should be able to start a connection and open the page.

Slowly connecting to the VKB European Store Server (white line on left of image)

After loading the page and selecting the product, I was able to add the product to my local cart by clicking the button.

Product Page eventually loads and we can add our stick to basket

Again I was greeted by a 502 error, which required me to continuously refresh as before.

Stick added to my local cart on the site, and can now move to checkout

Eventually the product was added to my cart and I wanted to proceed to the checkout.

Local cart eventually loads

Once I was happy with what I had in the cart, it was time to checkout and pay. This was again a very slow process.

Continue to payment

Eventually I saw the final checkout window with my billing information. All that was for me to do was confirm and pay. However, due to server latency at the time, elements of the page were stuck in a loading loop and I was unable to click on the final button to submit my order.

T&C unchecked

However, all is not lost just yet. As this page was loaded locally, it was possible to complete the final form using JavaScript and the browser developer tools. When looking through the HTML source code for this page, I noticed the checkbox has a field called name="terms" that can be used to identify it.

HTML extract for the page with checkbox highlight in blue

The two lines of javascript entered to the console for agreeing to the T&Cs are shown below.

// find the term click button in the page using the name tag
tc = document.getElementsByName('terms');
// use javascript to check the required tickbox
tc[0].checked = true;

Checking the button using Javascript

T&C checked and ready to submit

After I accepted the T&Cs, I was finally able to place the order, even in the presence of the scalper bots. As before, I needed to identify the value of the name property for the submission button so I could use JavaScript to click the button for me.

Finding the required information for collecting the submit button

The HTML for the submission form showed a field value of name="woocommerce_checkout_place_order" similar to the T&Cs box seen previously. Therefore, the JavaScript code that can be use to submit the order is:

// find the submit button on the page
buy = document.getElementsByName('woocommerce_checkout_place_order');
// 'click' on the button to submit the order

What it looks like in the inspector

Clicking the submit button using JS

A few minutes after successful submission, I received my order confirmation email!

SUCESSS - order confirmation!

Despite the attempts by scalping bots to purchase all of the stock, with a little bit of patience and JavaScript, I was able to place an order when my local webpage was not cooperating. While this may not work in all instances, hopefully it gives you a little inspiration for your tool-kit the next time demand is greater than supply.