Tuesday, August 3, 2010

Bypassing Client Side input validation…..

Last post I discussed how to implement client side input validation, and previously have discussed whey it should be used. Today I will discuss the best part of client side input validation, how easy it is to bypass!

This post hope to explain how easy bypassing client side input validation really is. For demonstration purposes the code examples from the previous post will be used to demonstrate three very easy attacks that bypass client side validation. To recap here is the HTML code for zip.html, the form to enter in a zip code.

<-html->
<-head->
<-title->Please enter in your zip code<-/title->
<-script language=JavaScript->
function validateme()
{
var zv = document.zipform.zip.value;
if (zv.length != 5)
{
alert("Please enter in 5 characters");
return false;
}
if (zv.match(/\d\d\d\d\d$/))
{
return true
}
else
{
alert("The Zip Code field does not contain 5 digits.");
return false;
}
}
<-/script->
<-/head->
<-br->
<-form method="POST" name= “zipform” onsubmit=”return validateme()” action="zip.php"->
<-center->Enter in your zip code (Only 5 digits please):<- input type=text name="zip" maxlength=5->
<-br->
<-input type="submit" value="Enter Zip Code"-><-/center->
<-/form->
<-/html->

The first and simplest attack to bypass client side validation, drum roll please…., is to disable JavaScript in the browser. That’s it, a pretty tough attack since you must restart the browser to take effect. A variation of this attack is use a browser like Firefox that supports extension with the NoScript extension installed and forbid the host from running scripts.

The second method requires a very special and 3l1+3(elite in l33t speak) tool called a text editor such as gedit or notepad. In the sample code zip.html, validation must be bypassed in two places, the HTML MAXLENGTH Attribute and the validateme function. To begin performing this attack, open up zip.html in a web browser of your choice and save the page to the local system.

The first thing to deal with is submitting the form back to the original website, in this example www.badwebapp.com. If the page is using relative paths as seen in the example code below, the form action properties must be changed.

<-form method="POST" name= “zipform” action="zip.php"->

To send form back to badwebapp.com change the action property to www.badwebapp.com, as seen in this code example:

<-form method="POST" name= “zipform” action="http://www.badwebapp.com/zip.php"->

If this is not change the form will attempt to post the data to the local system and a 404 error will be returned to the browser.

With the form ready to be processed on the original website the first thing to deal with is the HTML MAXLENGTH Attribute. Open up the file zip.html go to this line:

<-center->Enter in your zip code (Only 5 digits please):<- input type=text name="zip" maxlength=5->

Delete the MAXLENGTH Attribute, and the first validation input is ready to be bypassed. Save the file to the local system, than open the file in a web browser. It is now possible to enter in more than 5 digits in the input field, however a warning box from the validateme function will indicate that more than 5 digits was entered.

There are three options to bypass the JavaScript validateme function. The first is to use HTML comment tags (< ! - - What is to be commented out goes here - - >, change the code itself, or remove the onsubmit property from the form properties as seen in this example:

<-form method="POST" name= “zipform” onsubmit=”return validateme()” action="zip.php"->

Any of the three methods will be sufficient enough to bypass the validatme function. After completing the changes to the file, save it to the local system. Open zip.html in a web browser, and enter in any information such as ABCDE12345 and submit the form for processing by the web server. Since this web server performs no server side input validation the following message will be returned:

Congratulations! Your zip code is ABCDE12345 Thanks!

Changing the code can be a lot of work, especially in a web application that performs multiple client side input validation checks. What about changing data after the validation, but before its submitted to the webserver? That is what is done in the third attack.

To perform this attack a web proxy intercepting application such as OWASP WebScarab is used.

After installing WebScarab, fire it up and configure it to intercept request. When running WebScarab in the Lite interface just click on the Intercept tab and check the Intercept Request box. Next open up your browser of choice and configure it to use 127.0.0.1:8008 as the proxy server.

Now enter in 5 digits, which is the valid length for a zip code, and click on Enter Zip code button. As soon as this occurs the following screen shot will popup:



Now change the variable zip value to ABCDE12345 and click on the Accept Changes button. Once again you are presented with the following message:

Congratulations! Your zip code is ABCDE12345 Thanks!

As you can see client side input validation is great to detect typos’ and data entry mistakes, but does not increase the security of an application.

Much like a border router, adding client side input validation to a web application can be used as the first layer of defense in the security of a web application. Just remember how easy client side validation can be bypassed as seen in this example, and should NEVER be trusted!

5 comments:

  1. hmm... i seem to know all of that and i use tamper data for such purposes, but i appreciate this article for its express ability for people who do not understand.
    please i request to cover html injections also...
    good tutotial !

    ReplyDelete
  2. thanks for the comment. I am glad you enjoyed the article.

    I will be more than happy to write an article on html injection in the near future.

    ReplyDelete
  3. Great to learn about this. I'll make sure I perform a server side validation as well from now on.

    ReplyDelete
  4. I now understand the importance of server-side validations. Thank you very much

    ReplyDelete

 
Site Meter