Everything About Client Side Controls and Bypassing Them

I am pretty that you’ve learned from us a lot about the web application. Now, we will continue to talk about how large proportions of the apps rely on various measures which are implemented on the client-side for controlling the data that they submit to the server. That actually represents a fundamental security flaw. In that case, the user has the full control over the client and its data that are submitted. Then, he can bypass any controls that are implemented on the client-side, and also are not replicated on the server. The application relies on client-side controls in a purpose to restrict user input in two broad ways. In the first case, the app transmits the data to the client component using a mechanism which assumes the prevention of modifying the data by the user when he later reads it. In the second case, the app implements measures on the client-side which controls the user’s interaction with his own client. It restricts functionality and applying controls around user input-before it is submitted. It can be achieved by using the HTML form features or client-side scripts etc.

Transmitting Data Via Client

Everything submitted from the client to the server is under the user’s control. The assumption that the data is transmitted by the client will not be modified is most of the times false and it leaves the app vulnerable to the attacks. Learn more about the proper behaviors to prevent any kind of the attack or harm that can happen to you by learning about cyber security tips.

It is important to know that the writing app in a certain way is easier for developers for many reasons, and we will explain those now. First of all, it removes the need of keeping the track of all kinds of data within the user’s session. Also, using the client for transmitting the data can be a solution to the problem, if it arrives. However, when we talk about transferring the sensitive data this way, it is still unsafe. Learn as much as you can about protecting your sensitive data with the internet security tips.

Hidden from fields and HTTP cookies are also common mechanisms for transmitting data by the client in a unmodified way. I would like to advise you that if you find an app that is vulnerable, first of all-see whether you can submit a negative amount as the price. There were cases where the negative transactions were successful. HTTP cookies-transmitting the data via the client HTTP cookie. Form fields are not displayed on the screen, and the user cannot modify them. We think about instant modifying, they can be modified but only with the intercepting proxy which changes the server response that sets them or the subsequent client requests which issue them.

URL Parameters. It is common that the app transmits the data via the client by using the URL parameters. But, in many instances, the application can expect that the ordinary users can’t view or even modify the URL parameters. For example, where embedded images are loaded by using the URLs which contain parameters.

The referer header. It is commonly included in the browsers within most HTTP requests, used to indicate the URL of the page from which the current request originated. That happens either because the user clicked some hyperlink or a submitted form.

Capturing User Data : HTML Forms

It is the other principal way in which apps use client-side controls for restricting the data which is submitted by a client. It occurs with the data that wasn’t originally specified by the server but gathered on the client computer by itself.

So what is the simplest and the most common way for capturing the input from the user and submitting it to the server? The HTML forms, of course.

 

Capturing User Data: Browser Extensions

Besides the methods we talked about, there is one more main method for validating, capturing or submitting the user data. It is the usage of the client-side component which runs in a browser extension. It may be for example a Java or Flash. Companies are nowadays using the browser extensions for creating the fully functional client-side components. They provide feedback, flexibility etc. They capture the data in various ways. It can be done by the input forms and sometimes by interacting with the client’s operating system.

Handling Client-Side Data Securely

There are some core security problems with the web apps. It happens because the client-side components and the user input are outside the server’s direct control. It is the untrustworthy-the client, and all data received from it.

Many applications transmit critical data and leave themselves exposed. They transmit product prices or discount rates by the client in a very unsafe manner. It is good to avoid transmitting such kind of data with the applications. Especially via the client. It is well-known that some ways of using encrypted or signed data may be vulnerable to the attack. Let’s explain it on the example. Let’s say a product price was encrypted before being stored in a hidden field. Yes, it may be possible to copy the encrypted price of a cheaper product and to submit it in a place of the original price. And how to prevent such an attack? Well, the app needs to include the sufficient context within the encrypted data for preventing it from being replayed in a different context.

We can show the example. The app could concatenate the product code and its price, it may encrypt the results as a single item, and then validate that the encrypted string actually submitted with an order which matches the product that was being ordered.

So, what have we learned from this all? All clients or servers apps must accept one fact-the fact that the client component and all of the processing which may occur on it, can’t be trusted to behave as expected. As we’ve seen, the communications methods which are transparent generally employed by the web app actually mean that the attacker equipped with the simple tools and any minimal skill can really easily circumvent most controls that are implemented on the client. A determined attacker can compromise the defenses even in a situation where the application attempts to obfuscate data and processing residing on the client-side.

It is a must to know that you should test how the server responds to an unexpected data which bypasses the controls. It is important to implement in every instance where you can identify the data which are being transmitted via the client, or sometimes even the validation of user-supplied input which is being implemented on the client.

Some serious vulnerabilities are lurking behind the application’s assumptions about the protection which is afforded to it by the defenses that are implemented at the client.

So, we’ve learned a bit today! I hope you enjoyed hearing this useful information! Now you know how you can prevent the tampering attacks while transmitting the data via the client and a lot more useful information we shared with you!