Web applications attacks/Client side verifications
Jump to navigation
Jump to search
Description
If data sent by the browser are not checked on server-side, it is possible to change values and pass non-standard/non-expected data. In addition, always control authorizations in each page on server-side. If they are only controlled on client-side, a hacker could easily escalate his/her privileges and access non-authorized content.
Examples
- WebGoat, Bypass a path based Access Control lesson shows how to read non-authorized content by simply locally changing the value of the file.
- WebGoat, Role based access control lab shows how a hacker can easily access non-authorized content on non-protected pages (server-side) by locally changing form action.
- WebGoat, Remote Admin Access lesson teaches you how to access non-protected pages. Don't forget to check privileges on server-side!
- WebGoat, DOM injection lesson shows that you should trust client-side data. In this example, you will learn how to bypass a client-side control and activate a product with an invalid licence key.
- WebGoat, XML injection lesson shows how to intercept and modify the content of a form to earn more points than the maximum allowed by the server. Attack succeeds since data are not checked on server side!
- WebGoat, JSON injection shows how to modify a JSON request at your advantage to get a flight at low cost!
- WebGoat, Exploit Unchecked Email lesson shows that it is possibel to send scripts in an email field where the content is not checked on server-side.
- HackThisSite.org, Realistic, Level 1 shows how to pass out of range data (data are initially bounded by a dropdown list) through the GET method.
- WebGoat, Silent transactions shows that you shouldn't trust client-side data! there is a cascading call of JavaScript functions that can be bypassed by calling the final function from the URL.
- WebGoat, Bypass Client-Side Javascript Validation lesson teaches you to bypass client-side validation controls.
- HackThisSite.org, Realistic, Level 3 shows how to deface a site if form data are not checked/bounded on server-side.
- HackThisSite.org, Realistic, Level 7 shows how to exploit a PHP file to read the content of a .htaccess file and access an encrypted password.
Protection
- You can check data on client side to avoid a roundtrip to the server and hence save bandwidth but these controls have to be also done on server-side.
- Always check that data match a specific mask (if you are expecting a number, check that nothing but [0-9] is sent)