Test Client-Side Controls
1. Handling Data Passed Through the Client
1.1. Identify all areas in the application where data is sent through the client, such as hidden form fields, cookies, and URL parameters.
1.2. Analyze the role of each element by considering where it appears, along with its name and value, to understand how it fits into the application’s logic.
1.3. Modify these values in ways that make sense for their intended purpose, and observe how the application responds.
2. Evaluating Client-Side Validation
2.1. Look for input validation mechanisms implemented on the client side, such as JavaScript checks or field length restrictions. Since these controls run in the browser, they can be bypassed by sending crafted requests directly to the server.
Example:
form action=”bal7.asp” onsubmit=”return Validate(this)”> <input maxlength=”6” name=”bal7a”>2.2 Test each input field by submitting values that would normally be rejected by client-side validation, and check whether the server enforces the same restrictions.
2.3 Keep in mind that bypassing client-side validation alone is not necessarily a vulnerability. However, it is important to verify whether proper validation exists on the server side.
3. Inspecting Disabled and Hidden Inputs
Review each HTML form to identify any disabled elements. For example:
<input disabled=”true” name=”bal7”>Attempt to manually include these parameters in requests sent to the server, and observe whether they influence application behavior in a meaningful or exploitable way.
4. Analyzing Client-Side Components
2.5. Identify any client-side components such as applets or plugins. Monitor requests in your proxy for files like:
.class,.jar→ Java.swf→ Flash.xap→ Silverlight
Also, inspect the HTML source for tags like:
<applet code="input.class" id="TheBal7" codebase="/scripts/"></applet>2.6. Download any discovered applet or component files and use appropriate tools to decompile them into readable source code.
2.7. Study the logic implemented within these components. Determine whether they perform any processing (such as encoding or validation) and check if exposed methods can be reused or manipulated to process arbitrary input.