Introduction
Typically, the majority of user data is processed on the client-side in many web applications.
This structure is highly vulnerable because the clien-side logic operates within the user's control domain.
Let's take a closer look at some instances corresponding to this case.
Hidden Form Fields
Hidden HTML form fields are a common mechanism for transmitting data without the user's knowledge.
Here's an example:
Product: iPhone 5
Price: 449
Quantity: (Maximum quantity is 50)
<form method=”post” action=”Shop.aspx?prod=1”>
Product: iPhone 5 <br/>
Price: 449 <br/>
Quantity: <input type=”text” name=”quantity”> (Maximum quantity is 50)
<br/>
<input type=”hidden” name=”price” value=”449”> ← This is vulnerable!
<input type=”submit” value=”Buy”>
</form>In this instance, a malicious user can manipulate the "price" field to make a purchase at a lower cost, If the price is set as a negative amount, some applications may even issue a refund to his credit card for the amount the malicious user set before.
Opaque Data
Sometimes, data transmitted via the client is not transparently intelligible because it has been encrypted or obfuscated in some way.
Product: Nokia Infinity
Price: 699
Quantity: (Maximum quantity is 50)
<form method=”post” action=”Shop.aspx?prod=4”>
Product: Nokia Infinity <br/>
Price: 699 <br/>
Quantity: <input type=”text” name=”quantity”> (Maximum quantity is 50)
<br/>
<input type=”hidden” name=”price” value=”699”>
<input type=”hidden” name=”pricing_token”
value=”E76D213D291B8F216D694A34383150265C989229”> ← This may be vulnerable!
<input type=”submit” value=”Buy”>
</form>In this situations, there are three attack points.
-
Decipher the obfuscation algorithm when knowing the plaintext and its corresponding ciphertext
-
Use the obfuscated string of the other item to check whether a replay attack is possible.
-
Manipulate the opaque data to verify how the server-side logic will decrypt.
ASP.NET ViewState
One commonly used mechanism for transmitting opaque data via the client is the ASP.NET ViewState.
It is sent to the server as a hidden field that has a serialized data cumulating the client state about the current page.
To use ViewState, the server-side code is constructed as follows:
string price = getPrice(prodno);
ViewState.Add(“price”, price);The form returned to the client now looks something like this:
<form method=”post” action=”Shop.aspx?prod=3”>
<input type=”hidden” name=”__VIEWSTATE” id=”__VIEWSTATE”
value=”/wEPDwULLTE1ODcxNjkwNjIPFgIeBXByaWNlBQMzOTlkZA==” /> ← The difference from previous example lies here!
Product: HTC Avalanche <br/>
Price: 399 <br/>
Quantity: <input type=”text” name=”quantity”> (Maximum quantity is 50)
<br/>
<input type=”submit” value=”Buy”>
</form>The ViewState value is a Base64-encoded string that combines user data (such as a price) with a keyed hash(known as MAC protection) to protect it from tampering.
It is easily analyzed by the Burp Suite ViewState Parser that can decode it and even indicate whether the MAC protection is enabled.
https://github.com/raise-isayan/ViewStateDecoder
Disabled Elements
If an HTML form is structured as follows:
<form method=”post” action=”Shop.aspx?prod=5”>
Product: Blackberry Rude <br/>
Price: <input type=”text” disabled=”true” name=”price” value=”299”> ← Take note of the 'disabled' attribute here.
<br/>
Quantity: <input type=”text” name=”quantity”> (Maximum quantity is 50)
<br/>
<input type=”submit” value=”Buy”>
</form>The 'price' field appears to be grayed out and is not sent to the server, in other words, it is currently not in use.
However, even then, some applications might still process it in server-side functions, causing them to be vulnerable by crafting a disabled value.
Browser Extensions
The browser extension technologies have common properties related to security:
- They are compiled to an intermediate bytecode.
- They execute a virtual machine that provides an sandbox environment.
- They may use remoting frameworks that employ serialization to transmit complex data structures and objects over HTTP.
Java
One of the most commonly used browser extensions is Java.
