January 10, 2023
Diving into Client-Side-Vulnerabilities - Real-life Scenarios from DeepStrike penetration testing engagements
DeepStrike
In this blog post, we will explore the vulnerabilities associated with client-side validation in web applications. Our pentesting team has uncovered critical security concerns that arise from relying solely on client-side validation. By understanding these limitations, we can take appropriate measures to mitigate potential risks.
Client-side validation is a widely used technique to provide real-time feedback and enhance the user experience. However, it is important to recognize the limitations and security risks associated with relying solely on client-side validation.
While client-side validation improves user experience by validating user input in real-time, it also introduces a significant vulnerability. Malicious actors can intercept and manipulate requests through proxies, as the validation process occurs within the user's browser. This manipulation can lead to security breaches and unauthorized access.
During a security assessment, our pentester discovered that the API response provided different outcomes based on the validity of the OTP. A correct OTP resulted in a "200 Ok" status response, along with a JSON object indicating successful verification. In contrast, an incorrect OTP triggered a "401 Unauthorized" status response, indicating failed verification.
Exploiting the Vulnerability
Recognizing the potential impact of this vulnerability, our pentester set out to exploit it and gain unauthorized access to user accounts. By intercepting the password reset request and modifying the API response to indicate successful verification, the pentester bypassed the OTP validation process. This unauthorized access was possible due to the sole reliance on client-side checks for OTP validation
Request:
Understanding the Vulnerability
In the target application, users had the ability to change their usernames from the account settings page. Client-side validation using a regular expression (regex) was implemented to ensure that the usernames met certain criteria, such as length and disallowed characters like <>"'.
Exploiting the Vulnerability
Unfortunately, the vulnerability arose when the request reached the /update endpoint, where no server-side validation was performed. This allowed an attacker to easily set a username to an XSS payload, such as newuser">. The payload would then be saved in the database, and when other users interacted with the attacker's profile or viewed comments, the XSS payload executed, compromising the application's security.
Request:
POST /api/v1/reset-password HTTP/1.1
Host: example.com
Content-Type: application/json
{
"email": "[email protected]",
"otp": "123456",
"new_password": "newpassword"
}
Understanding the Vulnerability
The web application in question served as a payments platform, enabling businesses to receive payments both in-person and online. The payment process involved creating invoices for specific amounts and sending the payment links to clients.
Exploiting the Vulnerability
During our pentesting process, our team discovered a critical mistake made by the client developers. Although they had implemented client-side validation to check user authentication and invoice information, they stored all payment-related data in a JavaScript variable. This variable was used for validation on the front-end before sending the payment request to the client API.
By intercepting the request and modifying the price of the invoice, an attacker could exploit this vulnerability. As the server solely relied on client-side validation, it would update the payment data without verifying if it had been tampered with.
The consequences of this vulnerability include undercutting competitors by making fraudulent payments, selling the vulnerability as a service to exploit other online markets, and damaging our client's business reputation by publicly disclosing the vulnerability.
Request:
POST /api/v1/reset-password HTTP/1.1
Host: example.com
Content-Type: application/json
{
"username": "newuser"><svg/onload=alert()>"
}
Understanding the Vulnerability
The application utilized CSRF tokens to protect against cross-site request forgery (CSRF) attacks. These tokens were generated on the server-side and included in forms to validate the authenticity of subsequent requests.
Exploiting the Vulnerability
However, our pentester discovered that the client-side validation of these tokens was inadequate. By intercepting the requests and removing or modifying the CSRF tokens, an attacker could bypass the token validation and perform unauthorized actions on behalf of the victim user.
Understanding the Vulnerability
The application allowed users to submit data that would be displayed on their public profiles. Client-side validation was implemented to prevent the submission of malicious content or unauthorized data.
Exploiting the Vulnerability
Our pentester found that the client-side validation could be bypassed by manipulating the request parameters. By injecting unauthorized data through the browser's developer tools or intercepting and modifying the request, an attacker could submit content that should have been restricted, such as scripts, sensitive information, or inappropriate material.
To mitigate the risks associated with client-side validation, it is crucial to implement server-side validation. By shifting the validation logic from the client-side to the server-side, comprehensive checks can be performed, including authentication, data integrity, and authorization verification. This approach ensures that user input is thoroughly validated before further processing, reducing the potential for exploitation.