Bypass Client-Side Validation Routins

Client-side validation is performed by a web browser (Java Script) before the input is sent to a web server.

If your application’s input validation countermeasures can be shortened with one word, JavaScript, then the application is not as secure as you think. Client-side JavaScript can regularly be bypassed. Some personal proxy, personal firewall, and cookie-management software promote their ability to remove pop-up banners and other intrusive elements of a web site. Many computer experts (paranoiacs?) switch off JavaScript completely in order to evade the latest e-mail virus. In short, there are several legitimate reasons and straightforward methods for Internet users to disable JavaScript.

Of course, disabling JavaScript tends to paralyze most of web applications. Fortunately, we have many tools that help surgically remove JavaScript or allow us to submit content after the JavaScript check has been performed, which enables us to bypass client-side input validation. With a local proxy such as Burp, we can handle a GET or POST request before it is sent to the server. By doing so, we can enter data in the browser that passes the validation requirements, but then change any value in the proxy while it’s held before forwarding it along to the server.

 

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience