• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / Built-in browser functions prove server-side validation necessary

Built-in browser functions prove server-side validation necessary

2016-03-24 by Jason

Web developers can easily make a wrong assumption in what they place their trust in. You create a web application and test it out to verify it works to spec. It only allows certain functionality, requires fields, and displays the results. The problem comes about when the developers rely on the browser to provide one of the walls to the app’s security. “I don’t need to worry about X because the browser does not allow X.” That might be the case now that the browsers you tested against don’t allow that functionality but what if they introduce it in the future? What if a less popular browser out there behaves differently and doesn’t enforce your constraints?

The option I will use in this article is actually quite popular in popular browsers like Google Chrome and Mozilla Firefox. The ‘inspect element’ feature can be very helpful when you are trying to figure out what HTML and CSS is causing an effect on your website. You can even edit for a live preview, for example, if you want to change the font size, text decoration, or padding of an element. This can open up a lot more variety when it’s not your website and you edit not just the CSS styling elements but the HTML content.

Real Life Example

I use a particular help desk software for its ticket functionality. It is completely free. You can have 1000 technicians (or more) and it is free. It follows the support/fremium model. They will make their money when you pay a subscription for support or if you pay for the add-on items. Despite the fact that it is free, you still need a license for the number of technicians that you will have signing into the software.

My license for 200 technicians was going to expire so I headed over to their web form to request a new license. The problem with the form is that the drop-down to specify the number of technicians is limited to 100 technicians.

1stdform

With that limitation of the form, I headed to the support site and submitted a message requesting a license for 200 technicians and specified that the form only allowed up to 100 technicians. Helpful as always, Support got back to me with a rambling email that eventually directed me back to the same form I had just visited.

Rather than try to convince Support about their own product, I took matters into my own hands. I simply right-clicked on the Technician drop-down on the form and chose Inspect.

2inspect

This opens the developer console and showed me the HTML and CSS behind the page’s rendering. This is similar to choosing ‘View page source’ but this allows me to tinker with the code as a live preview. I went through the code until I saw the ‘option’ drop-down code.

3code

Once I found the code, I changed the value of one of the options in the drop down to 250. For kicks and giggles, I changed another line to Marshmallows with a value of Puppies. The value is the part that is actually submitted to the server, so I now had an option that would submit my request for a license of more than 100 technicians.

4modify

Once I made the change to the code, it was reflected in the actual webpage above. I visited the drop-down field and saw my new entries of ‘250’ and ‘marshmallows’. I filled out the rest of the form and chose 250 technicians. I submitted the form and I was provided with a download to a license for 250 technicians.

5modifiedform

Conclusions

This is a pretty innocent use of the code but it demonstrates that this company could not rely on the browser to enforce their limitation of 100 technicians if they wanted to. Instead, the server would need to apply a little logic to the submission to see if a license should be generated. Just because you code limited options, it does not mean that the browser will honor your wishes.

In another example, I modified the headlines to completely rewrite history. Less innocently, someone might be able to exploit a server taking submissions into an SQL injection attack that will compromise the server, your data, or future visitors.

headlines

Filed Under: Featured, Security and Privacy, Software Tagged With: browsers

Trending

  • Epson TM-88IV Documentation
    In Hardware, Gadgets, and Products
  • Configuring Dell UEFI BIOS to Legacy mode to install Windows 7
    In Tech Solutions
  • Small business cyber security
    In Infographics

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • Access to the resource [servershare] has been disallowed Access to the resource [servershare] has been disallowed
  • What is the AllJoyn Router Service on Windows 10? What is the AllJoyn Router Service on Windows 10?
  • Read the Event Logs on Windows Server Core Read the Event Logs on Windows Server Core
  • How a DirecTV bill really works in 2015 How a DirecTV bill really works in 2015
  • SOLVED: “This modification is not allowed because the selection is locked.” SOLVED: "This modification is not allowed because the selection is locked."
  • How Virtual Reality Supports Mental Health Therapy How Virtual Reality Supports Mental Health Therapy
  • Key Strategies of Successful Coin Listing on Exchange Key Strategies of Successful Coin Listing on Exchange
  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting
  • Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams
  • customer contactless payment for drink with mobile phon at cafe counter bar,seller coffee shop accept payment by mobile.new normal lifestyle concept The Latest Innovations In Payment Technology
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • How Virtual Reality Supports Mental Health Therapy
  • Key Strategies of Successful Coin Listing on Exchange
  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2025 · Magazine Pro Theme on Genesis Framework · WordPress · Log in