i Bypassing client-side controls – All things in moderation

Bypassing client-side controls

Transmitting Data Via the Client

    • Hidden Form Fields

      If a field is flagged as hidden, it is not displayed on-screen. However, the field’s name and value are stored within the form and are sent back to the application when the user submits the form.

      In the early days of web appli-cations, this vulnerability was extremely widespread, and by no means has it been eliminated today.

      Code server demo

      [code language="php"]
      
      $notify ="";
      if($_SERVER["REQUEST_METHOD"] == "POST")
         {
        		if($_POST["price"] != 1200)
        		{
                $notify = "You are hacked me!!!";
        		}
        	}
      
      <form action="index.php" method="POST">
         Product: Dell alineware
         Price: 1200$
         <label>Quantity</label></br>
         <input type="text" name="quantity"></input>
         </br>
         <input type="hidden" name="price" value="1200"></input>
         <button type="submit" >Submit</button>
         </form>
         <?php echo $notify; ?>
       [/code]
      

      How to edit the price:
      -Save source code for the HTML pages, edit the value of field, reload the source back into the browser and click Buy button.
      -User an intercepting proxy to modify data ( Tamper Data(extension of firefox),burp proxy, webScarab)

      Screenshot from 2016-04-29 14:08:08
      Viewsource:
      Screenshot from 2016-04-29 14:37:59
      Using tamper to intercept request and modify filed price 1200 to 0 or anything else
      Screenshot from 2016-04-29 14:09:23
      Result
      Screenshot from 2016-04-29 14:09:36

    • HTTP Cookies

      It not displayed on-screen, and the user cannot modify them directly.
      It can be modified using
      an intercepting proxy, by changing either the server response that sets them or
      subsequent client requests .

      Code server demo

           [code language="php"]
      
         $cookie_name = "Admin";
         $cookie_value = "0";
         setcookie($cookie_name, $cookie_value, time()+ (86400), "/");
      
         if($_COOKIE["Admin"] == true){
         	$notify = "Cograturation! You hacked me!!!";
         }
      
       <form action="index.php" method="POST">
       	<div>
       		<span>Username</span> </br>
       		<input type="text" name="username"></input> </br>
       		<span>Password</span></br>
       		<input type="text" name="passwd"></input> </br>
      
       	</div>
       	<button type="submit">Login</button>
       </form>
       <?php echo $notify ?>
       [/code]
      

      Screenshot from 2016-04-29 14:09:49
      View cookie , and modify field ‘Admin’ = 1
      Screenshot from 2016-04-29 14:10:55
      Result
      Screenshot from 2016-04-29 14:11:08

    • The referer Header

      -Is used to indicade the URL of the page from which the current request originated.

      Code server demo

              [code language="html"]
      
      
      <!DOCTYPE html>
      <html>
      <head>
        <title></title>
      </head>
      <body>
      
      $notify ="";
      
      if($_SERVER['HTTP_REFERER'] == "localhost/wordpress/bypass/admin.php")
      {
        $notify = "Congratulation! You like bosss!!!";
      }
      
      
      <form action="index.php" method="POST">
         <p>Product: Dell alineware </p>
         <p>Price: 1200$</p>
         <label>Quantity</label></br>
         <input type="text" name="quantity"></input>
         </br>
         <input type="hidden" name="pricing_secret" value="Y2hhbmdlIHJlZmVyZXIgdG86IGxvY2FsaG9zdC93b3JkcHJlc3MvYnlwYXNzL2FkbWluLnBocA=="></input>
         <button type="submit" >Try hard!</button>
         </form>
         <?php echo $notify; ?>
      </body>
      </html>
              [/code]
      

      Screenshot from 2016-04-29 14:11:43
      Viewsource and Using hackbar(extension of firefox) to decode value base64 of field ‘pricing_token’
      Screenshot from 2016-04-29 14:13:21
      Change field referer (http header)
      Screenshot from 2016-04-29 14:14:09
      Result
      Screenshot from 2016-04-29 14:15:41

Hack steps

  • 1.Locate all instances within the application where hiddeen form fields, cookies, and URL parameters are apparently being userd to trasmit data via the client.
  • 2.Attemp to determine or guess the role that the item plays in the application’s login, based on the context in which it appears and on clues such as the parameter’s name
  • 3.Modify the item’s value in ways that are relevant to its purpose in the application.Ascertain whether the application processes arbitrary values submitted in the parameter, and wheter this exposes the application to any vulnerabilities.
  • URL parameters

    When a URL containing parameters is displayed in the browser’s location bar,
    any parameters can be modified easily by any user without the use of tools.

    In many instances an application may expect that ordinary users cannot view or modify URL parameters:

  • Where embedded images are loaded using URLs containing parameters
  • Where URLs containing parameters are used to load a frame’s contents
  • Where a form users the POST method
  • Where an application user pop-up windows or other techniques to conceal the browser locaiton bar
  • Opaque Data

  • ASP.NET ViewSate

Leave a Reply