Client-Side Input Validation Exploit in KK-Star Ratings Plugin
Published 5 days ago | Last update 4 days ago
1,845 view, 0 RAMs, and 0 comments
The KK-Star Ratings plugin is also a classic example of client-side input validation being used. Interestingly, despite having 123 ratings and 80,000+ active installations, and this bug being fairly basic, there seems to be no mention of this elsewhere on the Internet.
The KK-Star Ratings plugin allows for users to rate a post from one to five stars. By default, a user can submit as many ratings as they would like (which seems like a strange default setting).
Through the plugin’s setting page, users can enable an option to “restrict votings per unique ip,” which does exactly what you would think. However, it does this from the client side. The UI to submit a new rating is disabled. However, if the user can find a way to submitting another rating to the server, it will be counted despite the unique IP address requirement being enabled.
The Client-Side Input Validation Bug/Exploit
The easiest way to replicate this bug is as follows:
- Open multiple instances of a page that includes an instance of the KK-Star Ratings plugin that:
- You have not already rated; and
- That is on a site that has the “restrict votings per unique IP” setting enabled.
- Here’s an example of a page that meets both of those criteria on some website found through this trick.
- Rate the page in the first tab;
- Rate the page in the second tab
- Refresh either of the pages and you can verify that both ratings went through.
What is Client-Side Input Validation?
When users browse websites, they send requests from their computer (the client) to the server.
Consider HTML forms, which are used to prompt users to fill out data so that it can then be sent to the server in a specific format that the server will understand. In general, if a user does not have the required permissions to fill out a form, webmasters will set up their site so that the user won’t see that form at all--or at least won’t be able to fill it out.
However, HTML forms in a user’s webpage are, in theory, unnecessary. If the user happened to know the exact format that data needed to be in to send it to the server. If that were the case, users could send it directly to the server rather than fill out the form. This also means that users can send any arbitrary data to the server. For security reasons, the server should validate these requests to ensure that any data is formatted correctly and the user is not breaking any rules, such as sending multiple requests from the same IP.
Hiding forms or otherwise validating user input only on the client’s side without also adding validation on the server’s end allows for many exploits to come up. In this case, this allows many ratings to be sent to the server, ignoring the client-side
requirement suggestion to only submit one rating per IP address.
Implications: Should This Bug be Fixed?
In theory, this should probably be fixed. In theory, everything should be fixed. As far as client-side input validation bugs go, this is a relatively low-stakes issue.
August Garcia is some guy who used to sell Viagra on the Internet. He made this website to LARP as a sysadmin while posting about garbage like user-agent spoofing, spintax, the only good keyboard, virtual assitants from Pakistan, links with the rel="nofollow" attribute, proxies, regular expressions, HTML and CSS, sin, the developer console, and probably some other trash.
Account created 4 months ago.
104 posts, 620 comments, and 116 RAMs.
6 hours ago:
Commented in thread Best Subreddits about SEO?
Post a New Comment
Do you like having a good time?
Read Quality Articles
Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.
Argue with People on the Internet
Use your account to explain why people are wrong on the Internet forum.
Vandalize the Wiki
Or don't. I'm not your dad.
Ask and/or Answer Questions
If someone asks a terrible question, post a LMGTFY link.
Make Some Money
Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.