Test Client-Side Controls
1: Data Via the Client
1.1: Locate all instances within the application where hidden form fields, cookies, and URL parameters are apparently being used to transmit data via the client.
1.2: Attempt to determine the purpose that the item plays in the application’s logic, based on the context in which it appears and on its name and value.
1.3: Modify the item’s value in ways that are relevant to its role in the application’s functionality.
2: Test Client-Side Controls
2.1: Identify any cases where client-side controls such as length limits and JavaScript checks are used to validate user input before it is submitted to the server. These controls can be bypassed easily, because you can send arbitrary requests to the server. For example:
<form action=”bal7.asp” onsubmit=”return Validate(this)”>
<input maxlength=”6” name=”bal7a”>
2.2: Test each affected input field in turn by submitting input that would ordinarily be blocked by the client-side controls to verify whether these are replicated on the server.
2.3: The ability to bypass client-side validation does not necessarily represent any vulnerability. Nevertheless, you should review closely what validation is being performed.
2.4: Review each HTML form to identify any disabled elements. For example:
<input disabled=”true” name=”bal7”>
If you find any, submit these to the server, along with the form’s other parameters. See whether the parameter has any effect on the server’s processing that you can leverage in an attack
2.5: Identify any applets employed by the application. Look for any of the following file types being requested via your intercepting proxy:
.class, .jar : Java .swf : Flash .xap : Silverlight
You can also look for applet tags within the HTML source code of application pages. For example:
<applet code=”input.class” id=”TheBal7” codebase=”/scripts/”></applet>
2.6: Download the applet bytecode by entering the URL into your browser, and use a suitable tool to decompile the bytecode into source code
2.7: Understand what processing is being performed and determine whether the applet contains any public methods that can be used to perform the relevant obfuscation on arbitrary input.
In the next part we are going to discuss Testing Authentication Mechanism.