T 5.168 Bypassing security functions of web applications implemented on the client side

Web applications are usually accessed using generic clients (for example web browsers). Usually, these can be configured and adapted by the user. They are thus not subject to the control of the web application, but can be manipulated arbitrarily by an attacker who has obtained access. Thus, client-side security functions can be disabled. If no additional, server-side safeguards are planned, an attacker can thus access the resources of the web application.

Examples:

• The validation of data entered is only implemented in the JavaScript programming language on the client side. If the JavaScript support is deactivated on the client, the validation function is not carried out and thus bypassed. Thus, any data entered (such as malicious code) can be sent to the web application and processed without being checked. An attacker can exploit this to transmit in an unauthorised manner for example commands to background systems of the web application (e.g. in the form of database queries to perform a SQL injection).

• The web application checks only a parameter set on the client side for authentication (e.g. admin=true). If an attacker knows this parameter, then he can manually set and use the parameters manually to log in on the web application without having knowledge of the access data.