Lesson Plan Title: How to Bypass Client Side JavaScript Validation


Concept / Topic To Teach:

Client-side validation should not be considered a secure means of validating parameters. This validation only helps reducing the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application.


General Goal(s):

For this exercise, the web site requires that you follow certain rules when you fill out a form. The user should be able to break those rules, and send the website input that it wasn't expecting.


Figure 1 Lesson 6


There are two ways to complete this lesson. The first one is to submit a valid request like the one from the screenshot above and intercept this using WebScarab. The second way is to intercept the HTTP Response when loading the page and remove the Javascript that validates the values.


Solution 1


Figure 2 Intercept request


Add different symbols to the fields and click "Accept changes".


Figure 3 Change parameters


Figure 4 Lesson 6 Completed


Solution 2


Reload the page by clicking on the menu item "How to bypass Client-Side Javascript Validation" and intercept the response in WebScarab.


Figure 5 Enable "Intercept responses"


Figure 6 Intercepted response


If you remove the onclick="validate();" the "Submit" button will not work anymore.

Locate the validate() Javascript function in the HTML page.


Figure 7 The function validate()


Removing the regular expressions will remove the Javascript validation and submit the form.


Figure 8 Changed validate() function


Click "Accept changes". This returns a HTML page like before but without any regular expression checks.


Figure 9 It looks the same


Change the fields in the HTML page to contain symbols like @#@@# and click "Submit".


Figure 10 No more regular expression checks


Figure 11 Lesson 6 Completed



Solution by Erwin Geirnaert ZION SECURITY