Client-Side Input Validation Exploit in KK-Star Ratings Plugin

The KK-Star Ratings plugin is one of the easiest ways to implement structured data to show star ratings next to posts, which I’ve used on WordPress sites in the past.

The KK-Star Ratings plugin is also a classic example of client-side input validation being used. Interestingly, despite having 123 ratings and 80,000+ active installations , and this bug being fairly basic, there seems to be no mention of this elsewhere on the Internet.

Plugin Behavior

The KK-Star Ratings plugin allows for users to rate a post from one to five stars. By default, a user can submit as many ratings as they would like (which seems like a strange default setting)  .

Through the plugin’s setting page, users can enable an option to “restrict votings per unique ip,” which does exactly what you would think. However, it does this from the client side. The UI to submit a new rating is disabled. However, if the user can find a way to submitting another rating to the server, it will be counted despite the unique IP address requirement being enabled.

The Client-Side Input Validation Bug/Exploit

The easiest way to replicate this bug is as follows:

• Open multiple instances of a page that includes an instance of the KK-Star Ratings plugin that:
  • You have not already rated; and
  • That is on a site that has the “restrict votings per unique IP” setting enabled.
  • Here’s an example of a page that meets both of those criteria on some website found through this trick .
• Rate the page in the first tab;
• Rate the page in the second tab
• Refresh either of the pages and you can verify that both ratings went through.

What is Client-Side Input Validation?

When users browse websites, they send requests from their computer (the client) to the server.

Consider HTML forms, which are used to prompt users to fill out data so that it can then be sent to the server in a specific format that the server will understand.  In general, if a user does not have the required permissions to fill out a form, webmasters will set up their site so that the user won’t see that form at all--or at least won’t be able to fill it out.

However, HTML forms in a user’s webpage are, in theory, unnecessary. If the user happened to know the exact format that data needed to be in to send it to the server. If that were the case, users could send it directly to the server rather than fill out the form. This also means that users can send any arbitrary data to the server. For security reasons, the server should validate these requests to ensure that any data is formatted correctly and the user is not breaking any rules, such as sending multiple requests from the same IP.

Hiding forms or otherwise validating user input only on the client’s side without also adding validation on the server’s end allows for many exploits to come up. In this case, this allows many ratings to be sent to the server, ignoring the client-side requirement suggestion to only submit one rating per IP address.

Implications: Should This Bug be Fixed?

In theory, this should probably be fixed. In theory, everything should be fixed. As far as client-side input validation bugs go, this is a relatively low-stakes issue.