Client and Server Side Input Validation - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

Pre-Lab Procedure:

If you completed the Virtual Host Lab first, you'll have to back into the configuration (conf.d) files for ciak.com and savannah.com and change the port numbers so that your browser goes to your desired pages and not the virtual hosts when you type in the Web Server IP address. I used a placed holder of 8008 instead of the 80 port:

image

Lab Procedure

The current form1.php file from previous labs should look like this:

image

Utilize the form1.php from previous contents on the Rocky Web Server by adding the JavaScript verification on fname field:

image

  • sudo systemctl restart httpd

image

  • Try to enter first name as a less than 6 character string from Kali web browser

Deliverable 1: Character warning

image

Deliverable 2: Browser Inspection

With the warning up:

  • Right click on your web browser and click "Inspect" (web developer tools if on FirFox)
  • Find the script from the html page part of the code:

image

Lab Procedure Burpsuite

  • Start burp application and burp web browser
    • Once it loads: Temporary project -> next, Start burp (basically the defaults)
    • Go to Proxy tab and click on "Open browser" (You might have to enter the default password of the VM)
  • Navigate to your form
  • Once you see the form, before submitting, make sure that the Intercept is on:

image

Once that's all set:

  • Fill the First Name with a value that is more than 5 characters and Submit
  • Find the fname value section captured in Burp and change it to a string that is less than 5 characters:

image

Click Forward and observe the web page in burp browser. Should be similar to this:

image

  • Despite a script to prevent first names shorter than six characters, Burpsuite was able to bypass the rule.

Troubleshooting

"When I attempted to forward the Burp Request to the browser it didn't work as it was suppose to. To fix this I found that my form1action.php form was incorrect and was using POST instead of GET. So I changed this in the file and it worked." @Hsanokklis

image

Adding Server Side Validation

Edit the form1action.php with the following content:

image

  • sudo systemctl restart httpd

Now redo the Burpsuite steps in the previous section of this lab with the interception edit, and you should get something similar:

image