Atomo64

           Creating Technology For Everybody

Home | About | Contact Us | Products | Services | Links | Palm | Forum | Papers | FDB | Site Map
Earn money with our free technology
Atomo64 Blog

See why you should donate


Opera

Valid CSS!

Valid HTML 4.01 Transitional

Nibbler report for atomo64.puffinhost.com

Labelled with ICRA


Creating a Safe poll

What do you mean?

When you add a public poll on the web, there are some security measures that you have to take care while writing the poll system. This is a small explanation about what you should take care of, and how to.

Basics

First, you should decide if you are going to let your visitors vote each X time(like each 24 hours), or only one vote per IP for all the poll life-time. I personally think that only one vote per IP for all the poll life-time is enough, but let's keep in mind that we can do it as a vote per IP each 24 hours.

Security

First, you have to take care about validating all the input data in order to prevent from possible SQL injections. After doing that, there are more things to do!.I noticed that some people only takes care about that, and some of them say "Hey, why should I? no hackers enter to my site, it is not as known", but I would say that they are very very wrong, you don't need to be a hacker in order to find out a vulnerability, maybe you are not going to find out everything that is on the DB, nor do anything else, maybe.... just vote how many times as you want!
How could that be possible? well, with the next question your mind may start thinking... "do you take care about proxies?", ouch. Maybe now you are thinking about using the X-FORWARDED-FOR header information if it is sent by the client, but this is the main point of this paper, how can you be so sure that it is a real proxy?.

Is it a proxy or not?

Before we start discussing this, I would like to say that you should never use variables as if register globals where on, because users could vote by using proxies even if they don't allow POST method.
It is a proxy or not?, that's the question, how can you be so sure that it is a real proxy and not just a simple script pretending that it is a proxy by sending all the headers that a normal transparent proxy would send?(VIA, X-FORWARDED-FOR). Because if you were logging the IP by X-FORWARDED-FOR the that could happen. So, are you going to take care about if the user is using a proxy or not?, I recommend not to take care about it. Because, how many users uses proxies? This is a special question, because users who only wants to browse a page that they can't access directly because of some problems with it's ISP, they would use a transparent proxy, they would not try to hide themselves by using an 'elite'/'High anonymous' proxy. But at this point there's something that you have can not prevent, that somebody uses a high anonymous proxy.

Is that all?

No, of course not. By using the real IP address even if it seems to be a proxy doesn't mean that your poll is safe. What else? well, first, you should use cookies, so you are sure that the user came from the url where the poll is and not accessing directly. It is not safe just to verify the REFERER header since any script can send that header too. You should use a cookie with a random value, so the script can't just send an imitation of the cookie.
But we don't finish here!, if a bad guy really wants to cheat on your poll he it is not going to stop here, he could do two requests to your server, a HEAD request to the first page, so it can get the cookie and then send it on the second request!.
I really don't know who would have so interest on doing so, but... we are talking about safe polls... so, what else you could do? hmm, this last is a very hard problem... because I don't think that you want to add a CAPTCHA verification just for a poll, and maybe you are thinking two times before creating a poll, after reading all what you have to do if you want to have a safe poll. I think I found a solution, an other way to kill those scripts, that could be called 'bots' or 'robots'. Using javascript! yeah, that's it. If you use JavaScript, a dynamically written script, could prevent those scripts from working, HOW TO?, well, if you write a basic JavaScript function like
function vote(){ var random1="something",random2="something"; document.cookie = "RandomCookie2"+something+"="+random2+"; path=/"; }
where the values of random and random2 are dynamically generated by your script, but as it stills very easy to find out the values with a simple ereg('random="[a-zA-Z0-9]*',$page,$matches) we can change the names of those vars each time the page is requested, not just the order, maybe something like
$random_var_name=md5(mt_rand()+time()); $random2_var_name=sha1(mt_rand()+time());
could do the trick, but if you want to give 5 more minutes, you can urlencode the javascript function and just use
document.write(unescape(str_replace('+',' ','escaped_code_here')));
where you have to write a small function called str_replace just to replace all the '+' with a blank space, since PHP's urlencode function does that, we have to have the original code.

Do you already have a poll with all those security measures?

No, I don't need a poll, so I don't have it.

End

As you can see, the bad visitor can still use HIGH ANONYMOUS proxies and vote manually on your poll, we have prevented that he could use a script, but... we can't have a 100% secure poll.
Google
Web Atomo64

Atomo64(©) 2004-2010 www.atomo64.tk RSS - Generated in 0.0202 seconds
If you see this text, ignore the next line(s)!