Thursday, April 5, 2018

Bypassing Client Side JavaScript Validation


- Layout for this exercise:

- Working with OWASP WebGoat  v5.4:

1 - Client Side JavaScript Validation

- JavaScript can be used to validate any type of alphanumeric input. 

- For instance, this script (invoked by the HTML code with the onclick event) would validate if the numeric input is lower or greater than 10:

2 - Bypassing Client Side JavaScript Validation

- In this scenario we have 7 input fields with different validators:

- The challenge consists of bypassing each one of the validators.

- Right clicking Inspect Element over Submit:

- Disabling the input validation:

- Now, all the input validators are disabled:

- Field1:

- Field2:

- Field3:

- Field4:

- Field5:

- Field6:

- Field7:

- Once submitting the inputs the server is not able to correctly validate them and the attack is successful: