Web applications attacks/Client side data
Jump to navigation
Jump to search
Description
Client side data are data that are sent to your browser once the page has been interpreted by the server. Be very careful with data you send. Hence, it is very easy to intercept client-side data and modify them. In addition, never do critical filtering of data on client-side. See also client-side verifications.
Example
- WebGoat, Client-side filtering lab shows that you should never filter sensitive data on client-side!
- WebGoat, Insecure lient Storage lesson shows how to crack a client-side weak encryption mechanism. It should make you aware of the necessity to filter data on the server and not on the client, even if data is encrypted.
- WebGoat, Expllit Hidden Fields shows how to exploit hidden fields to modify the price of products.
- HackThisSite.org, Basic, Level 4 shows how to intercept and modify an email address.
- HackThisSite.org, Basic, Level 10 shows how to intercept and modify a value (level_authorized) to grant an access.
Protection
- Hidden fields are to use with caution!
- Never filter sensitive data on client-side but always on server-side.