Web Input Validation Bypass

TL;DR

Web application input validation is often a first line of defence against attacks. However, it’s frequently flawed. This guide shows common bypass techniques and how to protect your applications.

Understanding the Problem

Input validation checks what data users enter into forms or URLs. If not done correctly, attackers can send malicious input that breaks the application logic, steals data, or executes harmful code. Common vulnerabilities include:

• Client-Side Validation: Only checking data in the browser. Easily bypassed by disabling JavaScript or modifying requests.
• Insufficient Server-Side Validation: Not thoroughly checking all possible malicious inputs on the server.
• Blacklisting instead of Whitelisting: Trying to block bad characters/patterns instead of allowing only known good ones.

Bypass Techniques

1. Basic Encoding: Try URL encoding, HTML entity encoding, or Base64 encoding to disguise malicious input.
   • URL Encoding: Replace spaces with %20, special characters with their encoded equivalents (e.g., < becomes %3C).
   • HTML Entity Encoding: Replace characters like < with <.
2. Case Manipulation: Some validations are case-sensitive. Try changing the case of input (e.g., SCRIPT instead of script).
3. Double Encoding: Encode a character twice. The server might decode it once, leaving the malicious character intact.

   Example: <script> encoded as %3Cscript%3E

4. Whitespace and Comments: Insert whitespace or HTML/SQL comments to break validation patterns.

   Example: <scriptalert(1)</script>

5. Using Alternative Syntax: For languages like JavaScript, try different ways of writing the same command.

   Example: Instead of alert('XSS'), use eval("alert('XSS')")

6. Bypassing Blacklists with Similar Characters: Use characters that look similar to blacklisted ones (e.g., a instead of a).
7. Exploiting Regular Expression Flaws: If the validation uses a regular expression, find ways to craft input that matches the regex but isn’t valid.
   • Look for overly permissive patterns or missing anchors (^ and $) in the regex.
8. HTTP Parameter Pollution: Send multiple parameters with the same name. The server might process only one, potentially bypassing validation on others.

   Example: ?param=safe&param=<script>alert(1)</script>

Protecting Your Applications

1. Server-Side Validation is Essential: Never rely solely on client-side validation. Always validate all input on the server.
2. Whitelisting over Blacklisting: Define what is allowed, not what isn’t. This is much more secure.

   Example: Allow only alphanumeric characters and spaces in a username field.

3. Input Sanitization: Remove or encode potentially harmful characters before processing the input.
   • Use appropriate encoding functions for the context (e.g., HTML entity encoding for displaying data, SQL escaping for database queries).
4. Regular Expression Best Practices: Use well-tested and secure regular expressions with proper anchors (^ and $) to match the entire input string.
5. Content Security Policy (CSP): Implement CSP to control which resources the browser is allowed to load, mitigating XSS attacks.
6. Regular Security Audits: Regularly test your application for vulnerabilities using automated tools and manual penetration testing.