256 Kilobytes

Client-Side Input Validation Exploit in KK-Star Ratings Plugin

Articles in Unintended Behavior and Exploits | By August R. Garcia

Published | Last Update

3,217 views, 0 RAMs, and 0 comments

TheKK-Star Ratings pluginis one of the easiest ways to implementstructured datato show star ratings next to posts, which I’ve used on WordPress sites in the past.

The KK-Star Ratings plugin is also a classic example of client-side input validation being used. Interestingly, despite having123 ratingsand80,000+ active installations, and this bug being fairly basic, there seems to be no mention of this elsewhere on the Internet.

Plugin Behavior

The KK-Star Ratings plugin allows for users to rate a post from one to five stars. By default, a user can submit as many ratings as they would like (which seems like a strange default setting).

Through the plugin’s setting page, users can enable an option to “restrict votings per unique ip,” which does exactly what you would think. However, it does this from the client side. The UI to submit a new rating is disabled. However, if the user can find a way to submitting another rating to the server, it will be counted despite the unique IP address requirement being enabled.

The Client-Side Input Validation Bug/Exploit

The easiest way to replicate this bug is as follows:

  • Open multiple instances of a page that includes an instance of the KK-Star Ratings plugin that:
  • Rate the page in the first tab;
  • Rate the page in the second tab
  • Refresh either of the pages and you can verify that both ratings went through.

What is Client-Side Input Validation?

When users browse websites, they send requests from their computer (the client) to the server.

Consider HTML forms, which are used to prompt users to fill out data so that it can then be sent to the server in a specific format that the server will understand.  In general, if a user does not have the required permissions to fill out a form, webmasters will set up their site so that the user won’t see that form at all--or at least won’t be able to fill it out.

However, HTML forms in a user’s webpage are, in theory, unnecessary. If the user happened to know the exact format that data needed to be in to send it to the server. If that were the case, users could send it directly to the server rather than fill out the form. This also means that users can send any arbitrary data to the server. For security reasons, the server shouldvalidatethese requests to ensure that any data is formatted correctly and the user is not breaking any rules, such as sending multiple requests from the same IP.

Hiding forms or otherwise validating user input only on the client’s side without also adding validation on the server’s end allows for many exploits to come up. In this case, this allows many ratings to be sent to the server, ignoring the client-siderequirementsuggestion to only submit one rating per IP address.

Implications: Should This Bug be Fixed?

In theory, this should probably be fixed. In theory, everything should be fixed. As far as client-side input validation bugs go, this is a relatively low-stakes issue.

Download more RAM. 🐏 ⨉ 0Posted by August R. Garcia 1 year ago

Edit History

• [2019-04-14 11:59 PDT] August R. Garcia (1 year ago)
🕓 Posted at 14 April, 2019 11:59 AM PDT

Profile Photo - August R. GarciaAugust R. GarciaLARPing as a Sysadmi...Portland, ORSite Owner

August Garcia is some guy who used to sell Viagra on the Internet. He made this website to LARP as a sysadmin while posting about garbage like user-agent spoofing, spintax, the only good keyboard, virtual assitants from Pakistan, links with the rel="nofollow" attributeproxiessin, the developer console, literally every link building method, and other junk.

Available at arg@256kilobytes.com, via Twitter, or arg.256kilobytes.com. Open to business inquiries based on availability.

Post a New Comment

Do you like having a good time?

Register an Account

You can also login to an existing account or reset your password. All use of this site is subject to the terms of service and privacy policy.

Read Quality Articles

Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.

View Articles →

Argue with People on the Internet

Use your account to explain why people are wrong on the Internet forum.

View Forum →

Vandalize the Wiki

Or don't. I'm not your dad.

View Wiki →

Ask and/or Answer Questions

If someone asks a terrible question, post a LMGTFY link.

View Answers →

Make Some Money

Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.

Register an Account