Excessive trust in client-side controls

-

 The “Excessive trust in client-side controls” lab demonstrates a common and important security mistake in web applications: relying on data controlled by the user’s browser to enforce critical business logic. In this case, the application allows a user to make a purchase, but it incorrectly trusts values sent within the POST request, specifically the price of an item. Instead of enforcing the correct price on the server side, the application accepts the price provided by the client and processes the transaction using it. This creates a vulnerability where an attacker can manipulate the cost of products simply by modifying the request before it reaches the server.

During the purchase process, the application sends a POST request that includes parameters such as product ID, quantity, and price. Normally, sensitive values like price should never be controlled by the client because they are part of the core business logic. However, in this vulnerable lab, the price parameter is editable and is not validated or recalculated on the backend. This means that if a user intercepts the request using a tool like a proxy and changes the price value to something extremely low, such as 0.01, the server will still accept it and complete the transaction using the modified value.

The main issue here is not just input manipulation, but the lack of server-side enforcement of trusted data. The server assumes that the client is honest, which is a flawed assumption in any security context. Since HTTP requests can be intercepted and modified, any data coming from the client must be treated as untrusted. In a secure system, the backend should ignore any price value sent by the client and instead retrieve the correct price from a trusted source such as a database. The server should calculate the total cost based on the product ID and quantity, ensuring that the final amount cannot be altered by the user.

This vulnerability is particularly dangerous because it directly impacts financial transactions. An attacker could exploit it to purchase high-value items for almost nothing, causing financial loss to the business. In more complex systems, similar flaws could also be used to manipulate discounts, bypass pricing rules, or exploit promotional logic. It highlights how even small design mistakes in handling input data can lead to serious consequences when they affect core application logic.

The root cause of this issue is a failure in secure design principles. Instead of treating the client as an untrusted environment, the application mistakenly allows it to influence critical decisions. This violates a fundamental rule of web security: the server must always be the authority for sensitive data. Client-side controls should only be used for user experience improvements, not for enforcing security or business rules.

To fix this vulnerability, the application should completely ignore any price value provided in the request. It should only accept non-sensitive identifiers such as product ID and quantity. The server must then fetch the correct price from its database and calculate the final amount internally. Additionally, proper validation and integrity checks should be implemented to ensure that all business logic remains under server control.

Overall, this lab illustrates why trusting client-side input is dangerous and reinforces the importance of server-side validation in secure web application design.

Examples: 





Comments

Post a Comment

Popular posts from this blog

Linux AAA

-
Image
Linux AAA Authentication What it means: Authentication verifies who the user is . How it works in Linux: When you log in, Linux checks your credentials (usually username + password) against /etc/passwd and /etc/shadow . /etc/passwd stores user information (username, UID, GID, shell, home directory). /etc/shadow stores hashed passwords and password expiration info, readable only by root. Common authentication methods: Local authentication: Using /etc/passwd and /etc/shadow . Remote authentication: Using services like: LDAP (Lightweight Directory Access Protocol) – centralized user management. Kerberos – provides secure, ticket-based authentication. RADIUS – used in network access (VPNs, Wi-Fi, etc.). PAM (Pluggable Authentication Modules) – modular framework used by Linux for integrating different authentication methods. Example PAM file location: /etc/pam.d/ Each service (like SSH, sudo, login) has its own PAM configuration file.
Read more

Peppermint Ticketing Software for help desk technicians.

-
Image
Peppermint Ticketing Peppermint is a modern, open-source help desk and issue tracking system built for IT teams, MSPs, and internal support departments that want a self-hosted, lightweight, and privacy-controlled solution. Peppermint prioritizes: Simplicity and speed Developer freedom Data sovereignty Low infrastructure footprint It’s designed for small to medium-sized teams who want something modern, minimalistic, and powerful — without being locked into enterprise subscriptions or bulky frameworks. Architecture Overview Peppermint’s backend is written primarily in TypeScript (Node.js) , with a PostgreSQL database and a React-based frontend . This makes it modular, fast, and compatible with modern deployment standards such as Docker , Kubernetes , and cloud instances (AWS, Linode, DigitalOcean, etc.). Architecture Components Component Technology / Purpose Backend  => Node.js (Express / Nest-like structure) Database  => PostgreSQL (relational, handles ti...
Read more

What is Osint?

-
 Open-Source Intelligence (OSINT) refers to the process of collecting, analyzing, and utilizing publicly available data from a wide variety of sources to gather intelligence. These sources can range from publicly accessible information on the internet to data from newspapers, government reports, databases, and even geospatial information. The key distinction of OSINT is that it does not involve covert or illegal methods of gathering information but rather focuses on using data that is readily available to the public, sometimes even through commercial or open platforms. Examples of OSINT data can be gathered from a wide array of open and accessible sources. Some key examples include: Social Media: Publicly available posts, images, videos, and profiles from platforms like Facebook, Twitter, LinkedIn, Instagram, and TikTok. These platforms can reveal personal details about individuals, locations, affiliations, and even plans for upcoming events. News Websites and Online Articles: Ne...
Read more