I came across a site where the guy out there sells some php scripts. He has a demo page for a $6 rating system. I was wondering, with all the good design of the site, how secure his script is.
First of all, I write about form spoofing and take the guy's script as example after I informed him about the security hole in his stuff and I have seen that he has corrected the problem. I didn't even receive thanks from him :-(
Anyway, look at the demo page (before I do anything):
Pay attention to the number of votes and stars for each car. I saved this page on my local computer as a HTML page. I opened it with my text editor and I modified it. I’ll take only one car as example because I did the same thing with the other cars. The goal is to make the result of vote for each car equal to 5 stars with just one click each.
Here is the html code for a car-rating form before modification (I stripped all html tags like tables, fonts, etc... for readability):
First, take a look at the form tag. There is no action attribute. It means that the form will be submitted to the same URL. I then copied the URL from the browser and added an action attribute to the form tag.
Second, look at the rating average. I want to make it greater than 5 to get my five stars. So, I modified the value of the first input tag from 5 to 5000. Now, the "excellent" choice has a value of 5000.
Here is the result
I did the same thing for the other cars. I saved my page and opened it in my browser. For each car, I chose the "excellent" radio button and clicked "Rate".
Here is the result:
All cars get 5 stars with one click. Look at the number of votes (+1).
Conclusion:
In this example the guy assumes that the value of the chosen option is between 1 and 5 and has never thought that it can be modified by a user.
NEVER, NEVER trust the user input data. Filter all what you get from the user: forms, cookies, request headers, etc...
First of all, I write about form spoofing and take the guy's script as example after I informed him about the security hole in his stuff and I have seen that he has corrected the problem. I didn't even receive thanks from him :-(
Anyway, look at the demo page (before I do anything):
Pay attention to the number of votes and stars for each car. I saved this page on my local computer as a HTML page. I opened it with my text editor and I modified it. I’ll take only one car as example because I did the same thing with the other cars. The goal is to make the result of vote for each car equal to 5 stars with just one click each.
Here is the html code for a car-rating form before modification (I stripped all html tags like tables, fonts, etc... for readability):
<form method=post>
Rating: <img src="./25star.gif" alt="Average rating: 2.9361702127662"> After 517 Votes
<input type=radio name=note value=5>Excellent
<input type=radio name=note value=4>Very Good
<input type=radio name=note value=3>Good
<input type=radio name=note value=2>Fine
<input type=radio name=note value=1>Bad
<input type=hidden name=envoi value=1>
<input type=hidden name=mpo value=2>
<input type=submit value=Rate>
</form>
First, take a look at the form tag. There is no action attribute. It means that the form will be submitted to the same URL. I then copied the URL from the browser and added an action attribute to the form tag.
Second, look at the rating average. I want to make it greater than 5 to get my five stars. So, I modified the value of the first input tag from 5 to 5000. Now, the "excellent" choice has a value of 5000.
Here is the result
<form method=post
action="http://searchall.iwebland.com/dt/demo_page.php">
Rating: <img src="./25star.gif" alt="Average rating: 2.9361702127662"> After 517 Votes
<input type=radio name=note value=5000>Excellent
<input type=radio name=note value=4>Very Good
<input type=radio name=note value=3>Good
<input type=radio name=note value=2>Fine
<input type=radio name=note value=1>Bad
<input type=hidden name=envoi value=1>
<input type=hidden name=mpo value=2>
<input type=submit value=Rate>
</form>
I did the same thing for the other cars. I saved my page and opened it in my browser. For each car, I chose the "excellent" radio button and clicked "Rate".
Here is the result:
All cars get 5 stars with one click. Look at the number of votes (+1).
Conclusion:
In this example the guy assumes that the value of the chosen option is between 1 and 5 and has never thought that it can be modified by a user.
NEVER, NEVER trust the user input data. Filter all what you get from the user: forms, cookies, request headers, etc...
16 Jan 2006 15:27:49
Good hint boss, thx :)
23 Nov 2006 05:54:29
Nice catch. Too bad this is so widespread.
21 Nov 2007 13:00:57
Another good option, which I have been using for long time, is to use URL Paramters tool bar for FireFox. You can have more fun ;)