256 Kilobytes

Client-Side Input Validation Exploit in KK-Star Ratings Plugin

Articles in Unintended Behavior and Exploits | By August R. Garcia

Published 7 months agoSun, 14 Apr 2019 11:59:00 -0700 | Last update 7 months agoMon, 15 Apr 2019 13:36:23 -0700

2,811 views, 0 RAMs, and 0 comments

The KK-Star Ratings plugin is one of the easiest ways to implement structured data to show star ratings next to posts, which I’ve used on WordPress sites in the past.

The KK-Star Ratings plugin is also a classic example of client-side input validation being used. Interestingly, despite having 123 ratings and 80,000+ active installations, and this bug being fairly basic, there seems to be no mention of this elsewhere on the Internet.

Plugin Behavior

The KK-Star Ratings plugin allows for users to rate a post from one to five stars. By default, a user can submit as many ratings as they would like (which seems like a strange default setting).

Through the plugin’s setting page, users can enable an option to “restrict votings per unique ip,” which does exactly what you would think. However, it does this from the client side. The UI to submit a new rating is disabled. However, if the user can find a way to submitting another rating to the server, it will be counted despite the unique IP address requirement being enabled.

The Client-Side Input Validation Bug/Exploit

The easiest way to replicate this bug is as follows:

  • Open multiple instances of a page that includes an instance of the KK-Star Ratings plugin that:
  • Rate the page in the first tab;
  • Rate the page in the second tab
  • Refresh either of the pages and you can verify that both ratings went through.

What is Client-Side Input Validation?

When users browse websites, they send requests from their computer (the client) to the server.

Consider HTML forms, which are used to prompt users to fill out data so that it can then be sent to the server in a specific format that the server will understand.  In general, if a user does not have the required permissions to fill out a form, webmasters will set up their site so that the user won’t see that form at all--or at least won’t be able to fill it out.

However, HTML forms in a user’s webpage are, in theory, unnecessary. If the user happened to know the exact format that data needed to be in to send it to the server. If that were the case, users could send it directly to the server rather than fill out the form. This also means that users can send any arbitrary data to the server. For security reasons, the server should validate these requests to ensure that any data is formatted correctly and the user is not breaking any rules, such as sending multiple requests from the same IP.

Hiding forms or otherwise validating user input only on the client’s side without also adding validation on the server’s end allows for many exploits to come up. In this case, this allows many ratings to be sent to the server, ignoring the client-side requirement suggestion to only submit one rating per IP address.

Implications: Should This Bug be Fixed?

In theory, this should probably be fixed. In theory, everything should be fixed. As far as client-side input validation bugs go, this is a relatively low-stakes issue.

Download more RAM. 🐏 ⨉ 0 Posted by August R. Garcia 7 months ago

Edit History

• [2019-04-14 11:59 PDT] August R. Garcia (7 months ago)
🕓 Posted at 14 April, 2019 11:59 AM PDT

Post a New Comment

To leave a comment, login to your account or create an account.

Do you like having a good time?

Read Quality Articles

Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.

View Articles →

Argue with People on the Internet

Use your account to explain why people are wrong on the Internet forum.

View Forum →

Vandalize the Wiki

Or don't. I'm not your dad.

View Wiki →

Ask and/or Answer Questions

If someone asks a terrible question, post a LMGTFY link.

View Answers →

Make Some Money

Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.

Register an Account
You can also login to an existing account or recover your password. All use of this site is subject to terms outlined in the terms of service and privacy policy.