Description

When a student attempts to take a classic quiz with an access code, the student is able to enter an unlimited amount of incorrect access codes. This can cause curious students in programming classes to brute force the access code.

Expected Behavior

Explore ways to prevent unlimited access code submissions.

Workaround

No workaround exists at this time.

Steps to Reproduce

• Create a classic quiz with an access code that is an integer (The customer’s example is four numbers).

• As a student, take quiz.

• On the screen with the access code input field, open dev tools.

• Enter anything, and click submit.

• Copy request as cURL.

• Convert the cURL to Python (or any other language) using Postman.

• Add the code to a loop, add an f-string for the access_code, set a range, and add a condition that checks the response (e.g. if "This quiz is restricted by an access code" not in response.text:).

• Run the script.

• Note that it eventually returns the correct access code.

Additional Info

QO-1282

Classic Quizzes is in maintenance mode. Significant updates are not planned as the product is being phased out.

Recommended Way Forward

For all high-stakes assessments, we recommend the following strategies:

Migrate to New Quizzes – New Quizzes includes modern protections, such as built-in throttling, to help prevent unauthorized access attempts.

Use Proctoring Tools – For maximum security, high-stakes exams should use external proctoring tools or a LockDown Browser. These tools help ensure students cannot access the system in ways that could compromise the exam.

Alternative for Low-Stakes Exams – For lower-stakes assessments, using longer, more complex access codes (alphanumeric rather than short numbers) can make unauthorized attempts much more difficult.