[Join Mozilla] Security Review: Webmaker Quiz

VERIFIED FIXED

Status

mozilla.org
Security Assurance: Review Request
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Ben Simon, Assigned: mfuller)

Tracking

Details

(Whiteboard: [completed secreview][start 2012-08-20][end 2012-08-20])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Hey all,

Wanted to file this in advance so you can hopefully slot it into the calendar. There are two campaigns we're launching in the next month+ which will mean a set of new pages needing review; this bug will be about the webmaker quiz, and a second bug will be filed about the Mozilla Festival contest.

The Webmaker quiz, launching at the end of the month, will have three components:

--A short quiz with questions built into a BSD page, which is set up in the following way:  All of the quiz will take place within that wrapper and signup form, with JavaScript showing and hiding page elements to take the user from question to question, and finally for computing the answer. When they provide their email address (and other info) we’ll use JavaScript to take and submit the signup form contents to a hidden IFrame—their user info is sent directly into BSD. By using a hidden IFrame as the target for the form submission, we can still keep the user on the same page, and show them the JavaScript-generated quiz results (we want to prevent switching to a different page because that would mean we would lose information stored in the JavaScript, such as their quiz score).

--A signup page which folks will fill out to get a free "Mozilla Webmaker" sticker

--A donation page which will follow the sticker signup page

The schedule on this is that these different components will all be produced over the next week and a half, ready for review by 8/17 at the latest. I'll add the links to the bug as they're ready for review.

We're planning to begin promoting by 8/27 at the latest, with some soft distribution on Friday the 24th. The signup & donation pages ought to be fairly straightforward; if there's additional info we can provide to help things move once they're ready, please let us know.

Thanks!

-ben
Whiteboard: [pending secreview] → [pending secreview][triage needed]
(Assignee)

Comment 1

6 years ago
I'll take this review - it sounds similar to some other BSD-related pages I've reviewed previously. Keep me up to date and I'll start when links are added.

Thanks,
Matt
Assignee: nobody → mfuller
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
Keywords: sec-review-needed
(Reporter)

Comment 2

6 years ago
Hey Matt,

These pages are now live and ready for sec review. The Quiz main page (which progresses to the signup) is here:

https://donate.mozilla.org/page/s/mozilla-quiz

The donation page is reached after signing up for the sticker (end of quiz), but the direct url is: 

https://donate.mozilla.org/page/contribute/quiz-donation

Please let us know if you've any questions or issues.

Thanks!

-ben
(Assignee)

Comment 3

6 years ago
Thanks Ben - one question - after submitting the sticker request page, I'm redirected to the second URL (the direct link you listed above) but it includes a huge parameter called "action code." What does this parameter do? I'm assuming it's some sort of tracking code to see click throughs coming from the sticker request page but wasn't sure.

Thanks,
Matt
(Reporter)

Comment 4

6 years ago
(In reply to Matt Fuller :mfuller from comment #3)
> I'm assuming it's some sort of tracking code to see click throughs coming
> from the sticker request page but wasn't sure.
> 

Precisely. We'll actually be updating it to just be a hard-coded source, but that's all it is.
(Assignee)

Comment 5

6 years ago
Great, thanks - I'll get started on this shortly and it shouldn't be too long as it looks quite similar to those I've done already.

Matt
(Assignee)

Comment 6

6 years ago
Hi Ben,

I've completed the security review of these forms. The only issue I have found is that the sticker signup page (after the quiz, before redirect to the donation form) is vulnerable to cross site request forgery.

This basically means someone can signup to receive a sticker repeatedly without completing the quiz first.

I've yet to see a BSD-related form with CSRF protection, but I don't think this is a major concern. The biggest risk would be someone overwhelming the database with repeated POSTs (and a waste of stickers if duplicate checks aren't in place).

Let me know if this is an acceptable business risk. Besides that, everything looks good. I'm attaching my review notes.

Matt
(Assignee)

Comment 7

6 years ago
Created attachment 653470 [details]
Security Review Report
(Reporter)

Comment 8

6 years ago
Thanks, Matt. We'll be able to de-dupe, so not too concerned with that.

-ben
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

6 years ago
Sounds good, I'll mark this completed-secreview. Let me know if you need anything else.

Thanks,
Matt
Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd] → [completed secreview][start 2012-08-20][end 2012-08-20]
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.