Bypass Client Side Validation in a website. Getting Admin.

A quick video showing why you need both server and client side input validation. Here we bypass client side validation using Burp Suite browser proxy to change our input from our valid credentials for the site to get logged in as admin with a simple SQL injection statement. Server side validation would prevent this attack. This method gets us admin in less than a minute, leaving us free to do whatever we want. Here we right a blog entry however we could obviously do a lot more with admin for the website.

This is a very basic demo to keep it simple, however it clearly shows the principles behind this type of attack. Filtering dangerous characters in the browser is not enough, you must perform server side checks as well.