i Bypassing client-side controls – All things in moderation

# Bypassing client-side controls

## Transmitting Data Via the Client

• ### Hidden Form Fields

If a field is flagged as hidden, it is not displayed on-screen. However, the field’s name and value are stored within the form and are sent back to the application when the user submits the form.

In the early days of web appli-cations, this vulnerability was extremely widespread, and by no means has it been eliminated today.

#### Code server demo

[code language="php"]

$notify =""; if($_SERVER["REQUEST_METHOD"] == "POST")
{
if($_POST["price"] != 1200) {$notify = "You are hacked me!!!";
}
}

<form action="index.php" method="POST">
Product: Dell alineware
Price: 1200$<label>Quantity</label></br> <input type="text" name="quantity"></input> </br> <input type="hidden" name="price" value="1200"></input> <button type="submit" >Submit</button> </form> <?php echo$notify; ?>
[/code]


How to edit the price:
-Save source code for the HTML pages, edit the value of field, reload the source back into the browser and click Buy button.
-User an intercepting proxy to modify data ( Tamper Data(extension of firefox),burp proxy, webScarab)

Viewsource:

Using tamper to intercept request and modify filed price 1200 to 0 or anything else

Result

It not displayed on-screen, and the user cannot modify them directly.
It can be modified using
an intercepting proxy, by changing either the server response that sets them or
subsequent client requests .

#### Code server demo

     [code language="php"]

$cookie_name = "Admin";$cookie_value = "0";
setcookie($cookie_name,$cookie_value, time()+ (86400), "/");

if($_COOKIE["Admin"] == true){$notify = "Cograturation! You hacked me!!!";
}

<form action="index.php" method="POST">
<div>
<input type="text" name="passwd"></input> </br>

</div>
</form>
<?php echo $notify ?> [/code]  View cookie , and modify field ‘Admin’ = 1 Result • ### The referer Header -Is used to indicade the URL of the page from which the current request originated. #### Code server demo  [code language="html"] <!DOCTYPE html> <html> <head> <title></title> </head> <body>$notify ="";

if($_SERVER['HTTP_REFERER'] == "localhost/wordpress/bypass/admin.php") {$notify = "Congratulation! You like bosss!!!";
}

<form action="index.php" method="POST">
<p>Product: Dell alineware </p>
<p>Price: 1200$</p> <label>Quantity</label></br> <input type="text" name="quantity"></input> </br> <input type="hidden" name="pricing_secret" value="Y2hhbmdlIHJlZmVyZXIgdG86IGxvY2FsaG9zdC93b3JkcHJlc3MvYnlwYXNzL2FkbWluLnBocA=="></input> <button type="submit" >Try hard!</button> </form> <?php echo$notify; ?>
</body>
</html>
[/code]


Viewsource and Using hackbar(extension of firefox) to decode value base64 of field ‘pricing_token’

Result

#### Hack steps

• 1.Locate all instances within the application where hiddeen form fields, cookies, and URL parameters are apparently being userd to trasmit data via the client.
• 2.Attemp to determine or guess the role that the item plays in the application’s login, based on the context in which it appears and on clues such as the parameter’s name
• 3.Modify the item’s value in ways that are relevant to its purpose in the application.Ascertain whether the application processes arbitrary values submitted in the parameter, and wheter this exposes the application to any vulnerabilities.
• ### URL parameters

When a URL containing parameters is displayed in the browser’s location bar,
any parameters can be modified easily by any user without the use of tools.

In many instances an application may expect that ordinary users cannot view or modify URL parameters:

• Where embedded images are loaded using URLs containing parameters
• Where URLs containing parameters are used to load a frame’s contents
• Where a form users the POST method
• Where an application user pop-up windows or other techniques to conceal the browser locaiton bar