Security Knowledge Framework
  • Introduction
  • Auth Bypass
    • Python - Auth Bypass
    • NodeJS - Auth Bypass
  • Auth Bypass - 1
    • Python - Auth Bypass - 1
    • NodeJS - Auth Bypass - 1
    • Java - Auth Bypass - 1
  • Auth Bypass - 2
    • Python - Auth Bypass - 2
    • NodeJS - Auth Bypass - 2
    • Java - Auth Bypass - 2
  • Auth-bypass - 3
    • Python - Auth-bypass - 3
    • NodeJS - Auth-bypass - 3
    • Java - Auth-bypass - 3
  • Auth-bypass - Simple
    • Python - Auth-bypass - Simple
    • NodeJS - Auth-bypass - Simple
    • Java - Auth-bypass - Simple
  • Client Side Restriction Bypass
    • Python - Client Side Restriction Bypass
    • NodeJS - Client Side Restriction Bypass
    • Java - Client Side Restriction Bypass
  • Client Side Restriction Bypass - Harder
    • Python - Client Side Restriction Bypass - Harder
    • NodeJS - Client Side Restriction Bypass - Harder
    • Java - Client Side Restriction Bypass - Harder
  • Client Side Template Injection (CSTI)
    • Python - Client Side Template Injection (CSTI)
    • NodeJS - Client Side Template Injection (CSTI)
    • Java - Client Side Template Injection (CSTI)
  • Command Injection (CMD)
    • Python - Command Injection (CMD)
    • NodeJS - Command Injection (CMD)
    • Java - Command Injection (CMD)
  • Command Injection 2 (CMD-2)
    • Python - Command Injection 2 (CMD-2)
    • NodeJS - Command Injection 2 (CMD-2)
    • Java - Command Injection 2 (CMD-2)
  • Command Injection 3 (CMD-3)
    • Python - Command Injection 3 (CMD-3)
    • Java - Command Injection 3 (CMD-3)
  • Command Injection 4 (CMD-4)
    • Python - Command Injection 4 (CMD-4)
    • NodeJS - Command Injection 4 (CMD-4)
    • Java - Command Injection 4 (CMD-4)
  • Command Injection Blind (CMD-Blind)
    • Python - Command Injection Blind (CMD-Blind)
    • NodeJS - Command Injection Blind (CMD-Blind)
    • Java - Command Injection Blind (CMD-Blind)
  • Content-Security-Policy (CSP)
    • Python - Content-Security-Policy (CSP)
    • NodeJS - Content-Security-Policy (CSP)
    • Java - Content-Security-Policy (CSP)
  • CORS exploitation
    • Python - CORS exploitation
    • Java - CORS exploitation
  • Credentials Guessing
    • Python - Credentials Guessing
    • NodeJS - Credentials Guessing
    • Java - Credentials Guessing
  • Credentials Guessing - 2
    • Python - Credentials Guessing - 2
    • NodeJS - Credentials Guessing - 2
    • Java - Credentials Guessing - 2
  • Cross Site Scripting (XSS)
    • Python - XSS
    • NodeJS - XSS
    • Java - XSS
  • Cross Site Scripting - Attribute (XSS-Attribute)
    • Python - XSS-Attribute
    • NodeJS - XSS-Attribute
  • Cross Site Scripting - href (XSS-href)
    • Python - XSS-href
    • NodeJS - XSS-href
    • Java - XSS-href
  • Cross Site Scripting - DOM (XSS-DOM)
    • Python - XSS-DOM
    • NodeJS - XSS-DOM
    • Java - XSS-DOM
  • Cross Site Scripting - DOM-2 (XSS-DOM-2)
    • Python - XSS-DOM-2
    • NodeJS - XSS-DOM-2
    • Java - XSS-DOM-2
  • Cross Site Scripting - Stored (XSS-Stored)
    • Java - XSS-Stored
  • CSRF
    • Python - CSRF
    • NodeJS - CSRF
    • Java - CSRF
  • CSRF - Samesite
    • Python - CSRF-SameSite
    • NodeJS - CSRF-SameSite
    • Java - CSRF-SameSite
  • CSRF - Weak
    • Python - CSRF-Weak
    • NodeJS - CSRF-Weak
    • Java - CSRF-Weak
  • CSS Injection (CSSI)
    • Python - CSS Injection (CSSI)
    • NodeJS - CSS Injection (CSSI)
    • Java - CSS Injection (CSSI)
  • Deserialisation Java (DES-Java)
    • Java - Deserialisation Java (DES-Java)
  • Deserialisation Yaml (DES-Yaml)
    • Python - Deserialisation Yaml (DES-Yaml)
  • Deserialisation Pickle (DES-Pickle)
    • Python - Deserialisation Pickle (DES-Pickle)
  • Deserialisation Pickle 2 (DES-Pickle-2)
    • Python - Deserialisation Pickle 2 (DES-Pickle-2)
  • DoS Regex
    • Python - DoS Regex
    • NodeJS - DoS Regex
    • Java - DoS Regex
  • File upload
    • Python - File-Upload
    • NodeJS - File-Upload
    • Java - File-Upload
  • Formula Injection
    • Python - Formula Injection
    • NodeJS - Formula Injection
    • Java - Formula Injection
  • GraphQL DOS
    • Python - GraphQL DOS
  • GraphQL IDOR
    • Python - GraphQL IDOR
    • NodeJS - GraphQL IDOR
    • Java - GraphQL IDOR
  • GraphQL Injections
    • Python - GraphQL Injections
    • NodeJS - GraphQL Injections
    • Java - GraphQL Injections
  • GraphQL Introspection
    • Python - GraphQL Introspection
    • NodeJS - GraphQL Introspection
    • Java - GraphQL Introspection
  • GraphQL Mutations
    • Python - GraphQL Mutations
    • NodeJS - GraphQL Mutations
    • Java - GraphQL Mutations
  • Host Header Injection (Authentication Bypass)
    • Python - HttpOnly Session Hijacking XSS
  • HttpOnly Session Hijacking XSS
    • Python - HttpOnly Session Hijacking XSS
    • NodeJS - HttpOnly Session Hijacking XSS
    • Java - HttpOnly Session Hijacking XSS
  • Information Leakeage in Comments
    • Python - Information Leakeage in Comments
    • NodeJS - Information Leakeage in Comments
    • Java - Information Leakeage in Comments
  • Information Leakeage in Metadata
    • Python - Information Leakeage in Metadata
    • NodeJS - Information Leakeage in Metadata
    • Java - Information Leakeage in Metadata
  • Insecure Direct Object References (IDOR)
    • Python - Insecure Direct Object References (IDOR)
    • NodeJS - Insecure Direct Object References (IDOR)
    • Java - Insecure Direct Object References (IDOR)
  • JWT Null
    • Python - JWT Null
    • NodeJS - JWT Null
    • Java - JWT Null
  • JWT Secret
    • Python - JWT Secret
    • NodeJS - JWT Secret
    • Java - JWT Secret
  • Ldap Injection
    • Python - Ldap Injection
    • NodeJS - Ldap Injection
    • Java - Ldap Injection
  • Ldap Injection - harder
    • Python - Ldap Injection - harder
    • NodeJS - Ldap Injection - harder
    • Java - Ldap Injection - harder
  • Local File Inclusion 1 (LFI-1)
    • Python - Local File Inclusion 1 (LFI-1)
    • NodeJS - Local File Inclusion 1 (LFI-1)
    • Java - Local File Inclusion 1 (LFI-1)
  • Local File Inclusion 2 (LFI-2)
    • Python - Local File Inclusion 2 (LFI-2)
    • NodeJS - Local File Inclusion 2 (LFI-2)
    • Java - Local File Inclusion 2 (LFI-2)
  • Local File Inclusion 3 (LFI-3)
    • Python - Local File Inclusion 3 (LFI-3)
    • NodeJS - Local File Inclusion 3 (LFI-3)
    • Java - Local File Inclusion 3 (LFI-3)
  • Parameter Binding
    • Ruby - Parameter Binding
    • NodeJS - Parameter Binding
    • Java - Parameter Binding
  • Prototype Pollution
    • NodeJS - Prototype Pollution
  • Race Condition
    • Python - Race Condition
    • NodeJS - Race Condition
    • Java - Race Condition
  • Race Condition File-Write
    • Python - Race Condition File-Write
    • NodeJS - Race Condition File-Write
    • Java - Race Condition File-Write
  • Ratelimiting (Brute-force login)
    • Python - Ratelimiting
    • NodeJS - Ratelimiting
    • Java - Ratelimiting
  • Remote File Inclusion (RFI)
    • Python - Remote File Inclusion (RFI)
    • NodeJS - Remote File Inclusion (RFI)
    • Java - Remote File Inclusion (RFI)
  • Right To Left Override (RTLO)
    • Python - Right To Left Override (RTLO)
    • NodeJS - Right To Left Override (RTLO)
    • Java - Right To Left Override (RTLO)
  • Server Side Request Forgery (SSRF)
    • Python - Server Side Request Forgery (SSRF)
    • NodeJS - Server Side Request Forgery (SSRF)
  • Server Side Template Injection (SSTI)
    • Python - Server Side Template Injection (SSTI)
    • Java - Server Side Template Injection (SSTI)
  • Session Hijacking XSS
  • Session Puzzling
    • Python - Session Puzzling
    • NodeJS - Session Puzzling
    • Java - Session Puzzling
  • Session Management 1
    • Python - Session Management 1
  • SQLI (Union)
    • Python - SQLI (Union)
    • NodeJS - SQLI (Union)
    • Java - SQLI (Union)
  • SQLI Login Bypass
    • Python - Login Bypass
  • SQLI (Like)
    • Python - SQLI (Like)
    • NodeJS - SQLI (Like)
    • Java - SQLI (Like)
  • SQLI (Blind)
    • Python - SQLI (Blind)
    • NodeJS - SQLI (Blind)
    • Java - SQLI (Blind)
  • TLS Downgrade
    • Python - TLS Downgrade
  • Untrusted Sources (XSSI)
    • Python - Untrusted Sources (XSSI)
    • NodeJS - Untrusted Sources (XSSI)
    • Java - Untrusted Sources (XSSI)
  • URL Redirection
    • Python - URL Redirection
    • NodeJS - URL Redirection
    • Java - URL Redirection
  • URL Redirection - Harder
    • Python - URL Redirection - Harder
    • NodeJS - URL Redirection - Harder
    • Java - URL Redirection - Harder
  • URL Redirection - Harder-2
    • Python - URL Redirection - Harder-2
    • NodeJS - URL Redirection - Harder-2
    • Java - URL Redirection - Harder-2
  • WebSocket Message Manipulation
    • Python - WebSocket Message Manipulation
  • XML External Entity (XXE)
    • Python - XXE
    • NodeJS - XXE
    • Java - XXE
  • Exposed docker daemon
    • Python - Exposed docker daemon
  • Insecure Random
    • Python - Insecure Random
  • template item
Powered by GitBook
On this page
  • Running the app on Docker
  • Reconnaissance
  • Exploitation
  • Additional sources

Was this helpful?

Edit on GitHub
Export as PDF
  1. Client Side Restriction Bypass - Harder

NodeJS - Client Side Restriction Bypass - Harder

PreviousPython - Client Side Restriction Bypass - HarderNextJava - Client Side Restriction Bypass - Harder

Last updated 2 years ago

Was this helpful?

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-client-side-restriction-bypass-2
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-client-side-restriction-bypass-2

Now that the app is running let's go hacking!

Reconnaissance

As we have done with previous labs, be sure to start Burp Suite so you can play along!

Let us visit http://localhost:5000. It presents us with a familiar login screen.

For now, let's try user "admin" and password "admin". Which does let us inside!

We're told that the "admin" user really likes the color blue and that they enjoy feasting on apple pie. That's great news! And since we're logged in as the user "admin", we can even update our favorite color!

After submitting the form with a different color, the output has changed.

Let's take a look at Burp Suite's proxy history, to see what's happening in the background.

Burp shows us that a POST request was made to http://localhost:5000/updatecolor. The form was submitted with one key:value pair, being "color=Green".

Exploitation

Looking into the HTTP requests in Burp, there appear to be no hidden form values that would allow us to change admin's favorite food. But let's try something! Maybe the web app is trying to hide some things in plain sight by simply not including them in the user interface. We can make a few guesses about what to try, no?

We could just edit HTTP requests in Burp, making educated guesses.

If you right-click the POST request in Burp's proxy history, you can select "Send to Repeater". This will light up the Repeater tab in orange, showing that something new appeared. Over there, we can edit the request before submitting it.

Let's change the called URL to http://localhost:5000/updatefood and let's change the form key to "food". Then if we click the "Send" button, maybe we'll get lucky!

Alternatively, let's take a closer look at that front-end code! By right-clicking the form in our Chrome browser and choosing "Inspect" we can investigate the HTML in question.

What's this?!

The developer left us the clues right there in the HTML? And we manually did the hard work? No fair! Well, might as well use the form then!

If you right-click the commented text and choose "Edit as HTML" we can just remove the <!-- and --> comment markers. And presto, there's our other form which will let us change the favorite food as well.

Additional sources

Security research company Mitre maintains a list of common vulnerability types, with CWE registrations: Common Weakness Enumeration.

CWE - CWE-602: Client-Side Enforcement of Server-Side Security (4.6)
Logo