Client and Server Side Input Validation - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Pre-Lab Information
Client Input Validation:
Client input validation helps to ensure that the data submitted by the client matches the requirements set forth in the various form controls. It is an initial check before the data is sent to the server.
Types of Data Validation
Data Type Check
Confirms that the data entered has the correct data type. For example, a field might only accept numeric data.
Code Check
Ensures that a field is selected from a valid list of values or follows certain formatting rules. For example, it is easier to verify that a postal code is valid by checking it against a list of valid codes.
Range Check
Will verify whether input fata falls within a predefined range. For example, latitude and longitude are commonly used in geographic data. A latitude value should be between -90 and 90, while a longitude value must be between -180 and 180. Any values outside of this range are invalid.
Format Check
Checks for predefined format. For example, date columns are stored in a fixed format like "YYYY-MM-DD". Data validation procedure that ensures dates are in the proper format.
Consistency Check
A type of logical check that confirms the data's been entered in a logically consistent way. An example is checking if the delivery data is after the shipping date for a parcel.
Uniqueness Check
Some data IDs or e-mail addresses are unique by nature. A database should likely have unique entries on these fields. A uniqueness check ensures that an item is not entered multiple times into a database.
Links:
- https://developer.mozilla.org/en-US/docs/Learn/Forms/Form_validation
- https://developer.mozilla.org/en-US/docs/Learn/Forms/Form_validation
Server Input Validation:
Data validated by the client still has the potential to be compromised before it gets to the server. Implementing server-side validation adds another layer of security as it checks the data that is being sent from the client.
Link: https://docs.unqork.io/Content/O-Security/O01-Application_Security/O01104-Server-Side_Validation.htm
Lab
Utilize the form1.php from previous contents by adding the JavaScript verification on fname field:
Try to enter first name as a less than 6 character string from Kali web browser:
TROUBLESHOOTING: I was not getting an error when submitting my form, so to test if my javascript was working I made a line above my variable to see if I could get an alert to pop up -->
This worked -->
The problem was that I put an l instead of an I when typing in
document.getElementById("fname").value;
Start burp application and burp web browser
- Navigate to your form
- Once you see the form, before submitting, make sure that the Intercept is on
- Fill the First Name with a value that is more than 5 characters and Submit
- Find the fname value section captured in Burp and change it to a string that is less than 5 characters
- Click Forward and observe the web page in burp browser
Burp successfully displaying my name in less than 5 characters
TROUBLESHOOTING: When I attempted to forward the Burp Request to the browser it didn't work as it was suppose to. To fix this I found that my
form1action.phpform was incorrect and was using POST instead of GET. So I changed this in the file and it worked.
Edit the form1action.php
- repeat what was done in the burp application before
Burp browser displaying the new message