AdSense

Thursday, April 5, 2018

Bypassing Client Side JavaScript Validation


BYPASSING CLIENT SIDE JAVASCRIPT VALIDATION

- Layout for this exercise:




- Working with OWASP WebGoat  v5.4:






1 - Client Side JavaScript Validation

- JavaScript can be used to validate any type of alphanumeric input. 


- For instance, this script (invoked by the HTML code with the onclick event) would validate if the numeric input is lower or greater than 10:










2 - Bypassing Client Side JavaScript Validation

- In this scenario we have 7 input fields with different validators:




- The challenge consists of bypassing each one of the validators.

- Right clicking Inspect Element over Submit:






- Disabling the input validation:






- Now, all the input validators are disabled:

- Field1:






- Field2:







- Field3:






- Field4:






- Field5:






- Field6:






- Field7:






- Once submitting the inputs the server is not able to correctly validate them and the attack is successful: