Client-side Security Control Bypass


Overview

Some web applications rely on client-side controls such as disabling form fields, limiting field size, JavaScript validation or other controls to prevent the user from sending malicious input. In all cases, any client-side control can be bypassed or ignored entirely.

Not all applications that use client-side controls are vulnerable. Application which pair all client-side controls with an equivalent server-side version of the control may be secure. Quality applications often mirror all server-side controls with the client-side counterpart to reduce network traffic, prevent honest users from sending known-bad values and provide guidance.

However applications depending solely on client-side controls are often vulnerable to injection and/or attacks on application logic.

YouTubeVideo Tutorials

Discovery Methodology (Static source-code analysis)

Applications using client-side controls will write the controls using client-side languages such as HTML, JavaScript, Cascading Style Sheets and other technologies. By examining the source code for keywords, it is possible to locate client-side controls. While not an exhaustive list, the following keywords may be helpful to locate client-side controls.

HTML
  • Button, input, select, textarea, optgroup, option or fieldset elements that have a "disabled" attribute
  • Input elements with the "required","maxlength","readonly","pattern" or "hidden" attribute
This gives to us the following list of keywords
  • disabled
  • required
  • maxlength
  • readonly
  • pattern
  • hidden
Text boxes allow any characters so tend to be paired with the controls mentioned above. But some HTML input elements such as select elements (drop-down boxes) are restrictive by their nature. Developers may employ these "implicit controls" believing users cannot choose options other than those offered.

These are some "implicit controls" that restrict input by their nature.
  • select
  • radio
  • checkbox
  • file
  • number
  • range
  • button
  • submit
CSS

Styles can prevent browsers from drawing certain inputs, move inputs off screen and layer inputs under other elements. Some sites may use these tecniques in an attempt to prevent users from entering data under some conditions.

One of the common CSS properties that hides content is "display".
  • display
JavaScript

JavaScript tightly integrates with the Document Object Model. JS may hide any element, alter the contents, interupt form submission or rewrite all or part of a page. Since any JS, inline or imported, may place restrictions on elements it is neccesary to examine all JavaScript functions if they are to be bypassed.

JavaScript that is associated with onblur, onfocus, onsubmit and onclick events may be more likely to be implementing client-side controls on average.
  • onblur
  • onfocus
  • onsubmit
  • onclick
Because JavaScript can be complex and be comprised of many lines of code, a better approach may be to disable or ignore the JavaScript validation entirely.

Using the keywords above combined with a tool like grep can locate the most likely locations of client-side controls in HTML, CSS and JavaScript source code.

Discovery Methodology (Dynamic source-code analysis)

Detection of client-side controls using dynamic testing is relatively easy. Fill in all fields available, noting any restrictions experienced and submit the request. Fields that disallow some or all choices are likely client-side controls. Observe if the request is sent to the web server or blocked inline. If the application refuses to send the request, usually a JavaScript or HTML5 control (i.e. pattern) is stopping the request.

Exploitation

It is worth noting bypassing client-side controls is not standard practice. Usually the controls are ignored entirely by capturing a "valid" request/response pair using an interception proxy such as Burp-Suite. The baseline request is fuzzed, manipulated or attacked one parameter at a time to generate reponses. Each response can be compared against the original baseline reponse.

Asssuming bypass of individual client-side controls is desired the following tecniques are one possible solution.

Tools

There are many plug-ins and add-ons that are useful. For Firefox some can be found in this Mozilla Add-on Collection. However the developer tools built-into modern browsers may be the best choice for most testing.
  • Firefox Web Developer Tools
  • Safari Web Inspector
  • Internet Explorer Developer Tools

HTML

The following attribute values can be changed to remove restrictions
  • maxlength
  • pattern
  • hidden (change to "text")
  • value
The following attributes can be deleted to remove restrictions
  • disabled
  • required
  • readonly
  • pattern
HTML input elements which are implicit controls can be bypassed using the same techniques

Select elements contain child elements known as "options". The value sent for the select element is the value of the option chosen. To send a different value than the options offered, either add a new option with the desired value or change the value of an existing option. When done, pick the option that has the value wanted.

Radio buttons and checkboxes are similar except the value sent is the value of the checkbox or radio button itself. Again either add a new checkbox/radio button or change the value of an existing checkbox/radio button.

The input elements of type file, number, range, button and submit have an attribute called "value" that is sent to the server when the form is submitted. Altering these values is trivial and is the easiest way to bypass these controls.

CSS

Settings the CSS property "display" to block, inline or and empty string will allow the browser to display elements in the hidden scope

JavaScript

JavaScript can generally be dealth with in one of three ways:

Rewrite the JavaScript

Since JavaScript is under the control of the user, it is possible to create, alter or delete JavaScript code.

Delete or negate the event that triggers the JavaScript

JavaScript that performs validation is usually called by the browser in response to an event since it is neccesary for the user to enter the value before the value can be validated. Deleting this event or setting the event to TRUE may be an easy way to circumvent validation

Submit requests outside the browser using proxy

The easiest and most reliable method to bypass any client-side control is to capture a "valid" request/response pair using an interception proxy such as Burp-Suite. By this time any JavaScript has already run and can be ignored entirely.

Videos


YouTubeCross-Site Scripting Explained - Part 5: Discovery
YouTubeIntroduction to HTML Injection (HTMLi) and Cross Site Scripting (XSS) Using Mutillidae
YouTubeTwo Methods to Bypass JavaScript Validation
YouTubeCross-site Scripting Explained - Part 15: Javascript Validation Bypass
YouTubeHow to Bypass Maxlength Restrictions on HTML Input Fields
YouTubeHow to Install dirb on Linux
YouTubeHow to Use dirb to Locate Hidden Directories on a Web Site
YouTubeHow to Install OWASP DirBuster on Linux
YouTubeHow to use OWASP DirBuster to Discover Hidden Directories on Web Sites