Client-side Security Control Bypass |
Overview Some web applications rely on client-side controls such as disabling form fields, limiting field size, JavaScript validation or other controls to prevent the user from sending malicious input. In all cases, any client-side control can be bypassed or ignored entirely. Not all applications that use client-side controls are vulnerable. Application which pair all client-side controls with an equivalent server-side version of the control may be secure. Quality applications often mirror all server-side controls with the client-side counterpart to reduce network traffic, prevent honest users from sending known-bad values and provide guidance. However applications depending solely on client-side controls are often vulnerable to injection and/or attacks on application logic. Discovery Methodology (Static source-code analysis) Applications using client-side controls will write the controls using client-side languages such as HTML, JavaScript, Cascading Style Sheets and other technologies. By examining the source code for keywords, it is possible to locate client-side controls. While not an exhaustive list, the following keywords may be helpful to locate client-side controls. HTML
These are some "implicit controls" that restrict input by their nature.
Styles can prevent browsers from drawing certain inputs, move inputs off screen and layer inputs under other elements. Some sites may use these tecniques in an attempt to prevent users from entering data under some conditions. One of the common CSS properties that hides content is "display".
JavaScript tightly integrates with the Document Object Model. JS may hide any element, alter the contents, interupt form submission or rewrite all or part of a page. Since any JS, inline or imported, may place restrictions on elements it is neccesary to examine all JavaScript functions if they are to be bypassed. JavaScript that is associated with onblur, onfocus, onsubmit and onclick events may be more likely to be implementing client-side controls on average.
Using the keywords above combined with a tool like grep can locate the most likely locations of client-side controls in HTML, CSS and JavaScript source code. Discovery Methodology (Dynamic source-code analysis) Detection of client-side controls using dynamic testing is relatively easy. Fill in all fields available, noting any restrictions experienced and submit the request. Fields that disallow some or all choices are likely client-side controls. Observe if the request is sent to the web server or blocked inline. If the application refuses to send the request, usually a JavaScript or HTML5 control (i.e. pattern) is stopping the request. Exploitation It is worth noting bypassing client-side controls is not standard practice. Usually the controls are ignored entirely by capturing a "valid" request/response pair using an interception proxy such as Burp-Suite. The baseline request is fuzzed, manipulated or attacked one parameter at a time to generate reponses. Each response can be compared against the original baseline reponse. Asssuming bypass of individual client-side controls is desired the following tecniques are one possible solution. Tools There are many plug-ins and add-ons that are useful. For Firefox some can be found in this Mozilla Add-on Collection. However the developer tools built-into modern browsers may be the best choice for most testing.
HTML The following attribute values can be changed to remove restrictions
Select elements contain child elements known as "options". The value sent for the select element is the value of the option chosen. To send a different value than the options offered, either add a new option with the desired value or change the value of an existing option. When done, pick the option that has the value wanted. Radio buttons and checkboxes are similar except the value sent is the value of the checkbox or radio button itself. Again either add a new checkbox/radio button or change the value of an existing checkbox/radio button. The input elements of type file, number, range, button and submit have an attribute called "value" that is sent to the server when the form is submitted. Altering these values is trivial and is the easiest way to bypass these controls. CSS Settings the CSS property "display" to block, inline or and empty string will allow the browser to display elements in the hidden scope JavaScript JavaScript can generally be dealth with in one of three ways: Rewrite the JavaScript Since JavaScript is under the control of the user, it is possible to create, alter or delete JavaScript code. Delete or negate the event that triggers the JavaScript JavaScript that performs validation is usually called by the browser in response to an event since it is neccesary for the user to enter the value before the value can be validated. Deleting this event or setting the event to TRUE may be an easy way to circumvent validation Submit requests outside the browser using proxy The easiest and most reliable method to bypass any client-side control is to capture a "valid" request/response pair using an interception proxy such as Burp-Suite. By this time any JavaScript has already run and can be ignored entirely. Videos Click here to watch Cross-Site Scripting Explained - Part 5: Discovery Click here to watch Introduction to HTML Injection (HTMLi) and Cross Site Scripting (XSS) Using Mutillidae Click here to watch Two Methods to Bypass JavaScript Validation Click here to watch Cross-site Scripting Explained - Part 15: Javascript Validation Bypass Click here to watch How to Bypass Maxlength Restrictions on HTML Input Fields Click here to watch How to Install dirb on Linux Click here to watch How to Use dirb to Locate Hidden Directories on a Web Site Click here to watch How to Install OWASP DirBuster on Linux Click here to watch How to use OWASP DirBuster to Discover Hidden Directories on Web Sites |