Client-side validation is when Javascript and HTML are used to check your input for any problems. Without contacting the server, everything is done on the client machine; like when you enter text into the email field which isn’t email but rather something potentially malicious.
Alright, now that we’ve understood the security systems, let’s see the easiest method to crack through this kind of security. You must remember from the Burp Suite tutorial, that every time you want to interact with a web server, the information is sent in the form of an HTTP request to the server from the browser. And using Burp Suite, we can intercept that request and make potential changes to it.
Fortunately, these inputs go through HTTP requests as well, so we’re gonna exploit this property of the input system to bypass client-side validation. So, I turn the Burp Suite on with my browser. I open the webpage and enter a valid email that looks like an email and passes through the client-side validation without any issues.
Then I clicked on the login button, but since the burp suite is open, the request gets intercepted. I switched to Burp Suite and find this email field. Here I find abcd@lmao.com and replace it with a potentially malicious string that isn’t an email, and then click on the Forward button.
This string successfully reaches the server and gets processed. Although there are other levels of security like firewall, and server-side filters. But this is how we bypass client-side validations.
Now, Is there a way to bypass server validation?
How to bypass client-side validation?
Alright, now that we’ve understood the security systems, let’s see the easiest method to crack through this kind of security. You must remember from the Burp Suite tutorial, that every time you want to interact with a web server, the information is sent in the form of an HTTP request to the server from the browser. And using Burp Suite, we can intercept that request and make potential changes to it.
Fortunately, these inputs go through HTTP requests as well, so we’re gonna exploit this property of the input system to bypass client-side validation. So, I turn the Burp Suite on with my browser. I open the webpage and enter a valid email that looks like an email and passes through the client-side validation without any issues.
Then I clicked on the login button, but since the burp suite is open, the request gets intercepted. I switched to Burp Suite and find this email field. Here I find abcd@lmao.com and replace it with a potentially malicious string that isn’t an email, and then click on the Forward button.
This string successfully reaches the server and gets processed. Although there are other levels of security like firewall, and server-side filters. But this is how we bypass client-side validations.
Now, Is there a way to bypass server validation?