Client-side Validation


Advertisements

In this chapter, we will learn how validation helps in Python Pentesting.

The main goal of validation is to test and ensure that the user has provided necessary and properly formatted information needed to successfully complete an operation.

There are two different types of validation −

  • client-side validation (web browser)
  • server-side validation

Server-side Validation & Client-side Validation

The user input validation that takes place on the server side during a post back session is called server-side validation. The languages such as PHP and ASP.Net use server-side validation. Once the validation process on server side is over, the feedback is sent back to client by generating a new and dynamic web page. With the help of server-side validation, we can get protection against malicious users.

On the other hand, the user input validation that takes place on the client side is called client-side validation. Scripting languages such as JavaScript and VBScript are used for client-side validation. In this kind of validation, all the user input validation is done in user’s browser only. It is not so secure like server-side validation because the hacker can easily bypass our client side scripting language and submit dangerous input to the server.

Tempering Client-side Parameter: Validation Bypass

Parameter passing in HTTP protocol can be done with the help of POST and GET methods. GET is used to request data from a specified resource and POST is used to send data to a server to create or update a resource. One major difference between both these methods is that if a website is using GET method then the passing parameters are shown in the URL and we can change this parameter and pass it to web server. For example, the query string (name/value pairs) is sent in the URL of a GET request: /test/hello_form.php?name1 = value1&name2 = value2. On the other hand, parameters are not shown while using the POST method. The data sent to the server with POST is stored in the request body of the HTTP request. For example, POST /test/hello_form.php HTTP/1.1 Host: ‘URL’ name1 = value1&name2 = value2.

Python Module for Validation Bypass

The Python module that we are going to use is mechanize. It is a Python web browser, which is providing the facility of obtaining web forms in a web page and facilitates the submission of input values too. With the help of mechanize, we can bypass the validation and temper client-side parameters. However, before importing it in our Python script, we need to install it by executing the following command −

pip install mechanize

Example

Following is a Python script, which uses mechanize to bypass the validation of a web form using POST method to pass the parameter. The web form can be taken from the link https://www.tutorialspoint.com/php/php_validation_example.htm and can be used in any dummy website of your choice.

To begin with, let us import the mechanize browser −

import mechanize

Now, we will create an object named brwsr of the mechanize browser −

brwsr = mechanize.Browser()

The next line of code shows that the user agent is not a robot.

brwsr.set_handle_robots( False )

Now, we need to provide the url of our dummy website containing the web form on which we need to bypass validation.

url = input("Enter URL ")

Now, following lines will set some parenters to true.

brwsr.set_handle_equiv(True)
brwsr.set_handle_gzip(True)
brwsr.set_handle_redirect(True)
brwsr.set_handle_referer(True)

Next it will open the web page and print the web form on that page.

brwsr.open(url)
for form in brwsr.forms():
   print form

Next line of codes will bypass the validations on the given fields.

brwsr.select_form(nr = 0)
brwsr.form['name'] = ''
brwsr.form['gender'] = ''
brwsr.submit()

The last part of the script can be changed according to the fields of web form on which we want to bypass validation. Here in the above script, we have taken two fields — ‘name’ and ‘gender’ which cannot be left blank (you can see in the coding of web form) but this script will bypass that validation.

Advertisements