Lesson Plan Title: Bypass HTML Field Restrictions

Concept / Topic To Teach:
Client-side validation should not be considered a secure means of validating parameters. These validations only help reduce the amount of server processing time for normal users who do not know the format of required input. Attackers can bypass these mechanisms easily in various ways. Any client-side validation should be duplicated on the server side. This will greatly reduce the likelihood of insecure parameter values being used in the application

General Goal(s):
The user should be able send the website input that it wasn't expecting.
For this exercise, your job is to break the client side validation and send the website input that it wasn't expecting, including input for the disabled field. You must break all 6 validators at the same time.


To solve this lesson, we need to put invalid characters (slashes, quotes, etc.) into all six fields. Since three of the fields are toggles or dropdowns, we will need to intercept the request with Webscarab.
We still need to put invalid data in the disabled field, however. There are two ways of accomplishing this; we can enable the field using Firebug, or we can insert an additional field using Webscarab.

To enable the field, open Firebug and find the form containing all of our fields. Find the text input named "disabledinput". Delete the disabled="" parameter. This causes the field on the page to be unlocked, and will also cause the disabledinput variable to appear in Webscarab.

Enabled input after removing the "disabled" parameter in Firebug.

The other option is to add another variable when intercepting the request with Webscarab. When the intercept request window pops up, use the insert button to add a new variable called disabledinput.

Either way you add the input, the next step is to invalidate all of the responses. Put any symbol or character that isn't allowed in for each variable. Make sure you put more than five characters in the field that is limited by length.

Correctly filled in request with all fields invalidated and the disabledinput variable added.

Submit the request to complete the lesson.