Web application security - the fast guide Chapter 5: Attack Execution - the client

Only Client side validation Attack requirement Send legitimate Request with valid values 1. No server side form validation. Attack process 1. Using a proxy capture the response containing the page with the form. 2. Alter the values to required values to execute any attack like SQL injection. 3. Alter the JavaScript validation by disable or by simply returning valid whatever value is entered. 4. Release the altered response and submit the form. 2017-05-10 Web Form Client Only Validation Intercept request with Proxy like Burp Manipulate Values and add malicious Contents (SQL inj.) Retransmit with malicious contents No Server Validation Send privileged response to client (and/or ) execute a malicious code Web Application Security Fast Guide (book slides) By Dr.Sami Khiami Slide 21

Web application security - the fast guide Chapter 5: Attack Execution - the client | Page 21