Client-side Security Control Bypass with HTML ,CSS ,JavaScript

-

 

Client-side Security Control Bypass

Overview

Some web applications rely on client-side controls such as disabling form fields, limiting field size, JavaScript validation or other controls to prevent the user from sending malicious input. In all cases, any client-side control can be bypassed or ignored entirely.

Not all applications that use client-side controls are vulnerable. Application which pair all client-side controls with an equivalent server-side version of the control may be secure. Quality applications often mirror all server-side controls with the client-side counterpart to reduce network traffic, prevent honest users from sending known-bad values and provide guidance.



However applications depending solely on client-side controls are often vulnerable to injection and/or attacks on application logic.

Discovery Methodology (Static source-code analysis)

Applications using client-side controls will write the controls using client-side languages such as HTML, JavaScript, Cascading Style Sheets and other technologies. By examining the source code for keywords, it is possible to locate client-side controls. While not an exhaustive list, the following keywords may be helpful to locate client-side controls.

HTML

Button, input, select, textarea, optgroup, option or fieldset elements that have a "disabled" attribute

Input elements with the "required","maxlength","readonly","pattern" or "hidden" attribute

 

This gives to us the following list of keywords


  • ·         required
     ·         maxlength
 

Text boxes allow any characters so tend to be paired with the controls mentioned above. But some HTML input elements such as select elements (drop-down boxes) are restrictive by their nature. Developers may employ these "implicit controls" believing users cannot choose options other than those offered.

These are some "implicit controls" that restrict input by their nature.

·   
·         checkbox
·         file
·         number
·         range
·         button
·         submit

 

CSS

 

Styles can prevent browsers from drawing certain inputs, move inputs off screen and layer inputs under other elements. Some sites may use these tecniques in an attempt to prevent users from entering data under some conditions.

One of the common CSS properties that hides content is "display".

  • display

JavaScript

JavaScript tightly integrates with the Document Object Model. JS may hide any element, alter the contents, interupt form submission or rewrite all or part of a page. Since any JS, inline or imported, may place restrictions on elements it is neccesary to examine all JavaScript functions if they are to be bypassed.

JavaScript that is associated with onblur, onfocus, onsubmit and onclick events may be more likely to be implementing client-side controls on average.


·         onfocus
·         onsubmit
·         onclick

Because JavaScript can be complex and be comprised of many lines of code, a better approach may be to disable or ignore the JavaScript validation entirely.

Using the keywords above combined with a tool like grep can locate the most likely locations of client-side controls in HTML, CSS and JavaScript source code.

Discovery Methodology (Dynamic source-code analysis)

Detection of client-side controls using dynamic testing is relatively easy. Fill in all fields available, noting any restrictions experienced and submit the request. Fields that disallow some or all choices are likely client-side controls. Observe if the request is sent to the web server or blocked inline. If the application refuses to send the request, usually a JavaScript or HTML5 control (i.e. pattern) is stopping the request.

Exploitation

It is worth noting bypassing client-side controls is not standard practice. Usually the controls are ignored entirely by capturing a "valid" request/response pair using an interception proxy such as Burp-Suite. The baseline request is fuzzed, manipulated or attacked one parameter at a time to generate reponses. Each response can be compared against the original baseline reponse.

Asssuming bypass of individual client-side controls is desired the following tecniques are one possible solution.

Tools

There are many plug-ins and add-ons that are useful. For Firefox some can be found in this Mozilla Add-on Collection. However the developer tools built-into modern browsers may be the best choice for most testing.

  •  
  • ·         Firefox Web Developer Tools
  • ·         Safari Web Inspector
  • ·         Internet Explorer Developer Tools

 

HTML

The following attribute values can be changed to remove restrictions


·         pattern
·         hidden (change to "text")
·         value
 

The following attributes can be deleted to remove restrictions


·         required
·         readonly
·         pattern

 

HTML input elements which are implicit controls can be bypassed using the same techniques

Select elements contain child elements known as "options". The value sent for the select element is the value of the option chosen. To send a different value than the options offered, either add a new option with the desired value or change the value of an existing option. When done, pick the option that has the value wanted.

 

Radio buttons and checkboxes are similar except the value sent is the value of the checkbox or radio button itself. Again either add a new checkbox/radio button or change the value of an existing checkbox/radio button.

 

The input elements of type file, number, range, button and submit have an attribute called "value" that is sent to the server when the form is submitted. Altering these values is trivial and is the easiest way to bypass these controls.

 

CSS

 

Settings the CSS property "display" to block, inline or and empty string will allow the browser to display elements in the hidden scope

 

JavaScript

 

JavaScript can generally be dealth with in one of three ways:

 

Rewrite the JavaScript

 

Since JavaScript is under the control of the user, it is possible to create, alter or delete JavaScript code.

 

Delete or negate the event that triggers the JavaScript

 

JavaScript that performs validation is usually called by the browser in response to an event since it is neccesary for the user to enter the value before the value can be validated. Deleting this event or setting the event to TRUE may be an easy way to circumvent validation

Submit requests outside the browser using proxy

The easiest and most reliable method to bypass any client-side control is to capture a "valid" request/response pair using an interception proxy such as Burp-Suite. By this time any JavaScript has already run and can be ignored entirely.

 

 

Comments

Post a Comment

Popular posts from this blog

JavaScript Object Notation (JSON) Injection

-
Image
Overview JSON injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response. In other words, the attacker can send input which later is incorporated into the JSON response. Discovery Methodology JSON injection starts like any injection; find the possible input parameters including adding custom parameters (parameter addition attack) to see if the application will process them and place those inputs into the JSON returned by the server. (If we cannot get our input into the JSON returned by the server, we cannot inject the JSON.) Finding input parameters can be done using an ordinary Firefox browser. No special tools are required. This particular page has a drop down which is an input. Developers sometimes think that they control the web page. This of course is incorrect. The web page is running in the users browser. The user can do anything they want like change the page using Firebug. If you dont like that drop-down...
Read more

Hack Android with Infect Virus Installation and Usees

-
Image
HACK ANDROID WITH INFECT TERMUX HACKING TOOL Android devices are popular in the world. Imagine how funny if you infect your friend’s device even if you don’t have hacking skills. Infect best Termux hacking tool will help us to do that. What is infect? Infect is a bash-based script that is officially made for Termux users and from this tool you can spread the android virus by just sending a link. Also, Infect is available on Termux, developers of this tool tested in on Termux. What are it’s features? Infect have some interesting features. Which are following:- [+] Dangerous virus tool! [+] Updated maintenance! [+] Easy for beginners! [+] Working virus tool for Termux! Installation process:- Now, before you install infect make sure you update and upgrade Termux. you can use these commands: $ apt-get update $ apt-get upgrade Then, after Termux finishes updating and upgrade, we move to the second step which is to install python. Do it only if you have not yet install python otherwise, you ...
Read more

Cascading Style Sheet (CSS) Injection

-
Image
  Overview Cascading style injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response with a style attribute. In other words, the attacker can send input which later is incorporated into the web page the user receives. Discovery Methodology Inject all available parameters of the web page with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded in a style attribute. These locations may allow Cascading style injection. Hint: An example injection might be <CANARY={}""()'';#$--/>1. Adding a sequencial integer to the test input can help determine which of the inputs parameters resulted in the response string found. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically t...
Read more