💾 Archived View for alexey.shpakovsky.ru › gemlog › fixing-csrf-in-polls.gmi captured on 2022-07-16 at 13:35:37. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-06-11)
-=-=-=-=-=-=-
Thanks to whoever anonymously posted a direct link to vote for one of options in one of my polls to geddit, and to @lykso for sending that link to me and suggesting protecting the vote links with CSRF tokens. Their post on the subject:
For those who doesn't know it: CSRF stands for Cross-Site Request Forgery and is exactly what's happening here: my site (capsule) expects that only those tho have red the poll page will click the vote links, but apparently anyone else can post these links on their websites (or on geddit), with their own explanation of why you should click the link. To protect against it, CSRF tokens are used.
Someone else can probably explain it better, but basically CSRF tokens are small random pieces of data which are generated for every visitor of this page (or any page with a poll) and appended to vote links. When you click a vote link - the voting server receives the token and checks it. This aims to ensure that only someone who really visited a page with a poll can vote in it.
Note that I don't want to enforce using client certificates for voting for two reasons. First, my server doesn't support them. Second, I believe it will greatly decrease number of people who vote. Personally, I wouldn't show my client certificate "identity" to some random capsule just so it could record my "vote" in its silly "poll". Would you?
Now a question to readers: can you find any issues / vulnerabilities here? You might notice that tokens are not invalidated and voting IP is not checked, but please try to think of a possible scenario where it can be (ab)used.
So if an attacker gets a voting link and shares it - the link will include a token. First two days all clicks will count as a single vote, after that the token becomes invalid.
The only attack I can imagine is an attacker asking strangers to fetch the page for them, so the attacker can vote using their tokens. I guess it's simpler just to vote through multiple TOR / VPN / IPv6 addresses, but it would require a different kind of anti-fraud system.
I made up an imaginary attack against permanent tokens, so they are valid for two days only. In this scenario, an attacker travels around the world, connects to Internet from numerous places (using different IPs), and from each of them fetches a voting page on my capsule. After returning home attacker has a bunch of forever-valid tokens to vote in any of my polls, attributing the votes to these places.
With tokens being valid for two days only, the attacker will have to travel around the world every two days.
Poll: your opinion?
Your explanation of CSRF tokens is bad (0 votes)
Your explanation of CSRF tokens is good (1 vote)
You're doing it right (3 votes)
You're doing it wrong (1 vote)
Your poll "security" is weak (2 votes)
Your poll security is strong (0 votes)
Consider this poll hacked (0 votes)
Your polls are unhackable (0 votes)
I don't use client certificates at all (3 votes)
I don't use client certificates for random capsules (0 votes)
You're wrong, client certificates are the only proper way! (1 vote)
Privacy warning: your IP is already logged. You can change your vote by voting second time. To remove your IP from logs or vote for multiple items, write me an email.