Java - Client Side Restriction Bypass
Running the app on Docker
Now that the app is running let's go hacking!
Reconnaissance
The app allows us to select a number between 3 and 13 from the number input form. Let's also try typing numbers outside that interval directly into the field.
![](https://skf.gitbook.io/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fblabla1337%2Fskf-labs%2Fmaster%2F.gitbook%2Fassets%2Fpython%2FClient-Side-Restriction-Bypass%2F1.png&width=768&dpr=4&quality=100&sign=7c9a3e68&sv=1)
![](https://skf.gitbook.io/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fblabla1337%2Fskf-labs%2Fmaster%2F.gitbook%2Fassets%2Fpython%2FClient-Side-Restriction-Bypass%2F2.png&width=768&dpr=4&quality=100&sign=27708bbf&sv=1)
![](https://skf.gitbook.io/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fblabla1337%2Fskf-labs%2Fmaster%2F.gitbook%2Fassets%2Fpython%2FClient-Side-Restriction-Bypass%2F3.png&width=768&dpr=4&quality=100&sign=ad02bb46&sv=1)
![](https://skf.gitbook.io/~gitbook/image?url=https%3A%2F%2Fraw.githubusercontent.com%2Fblabla1337%2Fskf-labs%2Fmaster%2F.gitbook%2Fassets%2Fpython%2FClient-Side-Restriction-Bypass%2F4.png&width=768&dpr=4&quality=100&sign=2dac4995&sv=1)
Exploitation
We could intercept and modify the request on Burp:
Or alternatively, use devtools to modify the client-side restrictions directly:
And goal achieved! We could bypass the client-side restrictions.
Additional sources
Last updated