The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Chapter 1 described how the core security problem with web applications

arises because clients can submit arbitrary input. Despite this fact, a large pro-

portion of web applications nevertheless rely upon various kinds of measures

implemented on the client side to control the data that it submits to the server.

In general, this represents a fundamental security flaw: the user has full con-

trol over the client and the data it submits, and can bypass any controls which

are implemented on the client side and not replicated on the server.

There are two broad ways in which an application may rely upon client-side

controls to restrict user input. First, an application may transmit data via the

client component, using some mechanism that it assumes will prevent the user

from modifying that data. Second, when an application gathers data that is

entered by the user, it may implement measures on the client side that control

the contents of that data before it is submitted. This may be achieved using

HTML form features, client-side scripts, or thick-client technologies.

We will look at examples of each kind of client-side control and describe

ways in which they can be bypassed.