bypass front-end restrictions (javascript validation)
This commit is contained in:
Michal Smolík
committed by
Nanne Baars
Nanne Baars
parent
01421ca822
commit
870fa000aa
@ -0,0 +1,124 @@
|
||||
<!DOCTYPE html>
|
||||
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- stripped down without extra comments -->
|
||||
<div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
|
||||
method="POST"
|
||||
action="/WebGoat/BypassRestrictions/FieldRestrictions"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
|
||||
<div>Select field with two possible values</div>
|
||||
<select name="select">
|
||||
<option value="option1">Option 1</option>
|
||||
<option value="option2">Option 2</option>
|
||||
</select>
|
||||
<div>Radio button with two possible values</div>
|
||||
<input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br />
|
||||
<input type="radio" name="radio" value="option2" /> Option 2<br />
|
||||
<div>Checkbox: value either on or off</div>
|
||||
<input type="checkbox" name="checkbox" checked="checked"/> Checkbox
|
||||
<div>Input restricted to max 5 characters</div>
|
||||
<input type="text" value="12345" name="shortInput" maxlength="5"/>
|
||||
<div>Disabled input field</div>
|
||||
<input type="submit" value="submit"/>
|
||||
|
||||
</form>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
|
||||
<form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation"
|
||||
id="frontendValidation"
|
||||
method="POST"
|
||||
action="/WebGoat/BypassRestrictions/frontendValidation/"
|
||||
enctype="application/json;charset=UTF-8"
|
||||
onsubmit="return validate()">
|
||||
<div>
|
||||
Field1: exactly three lowercase characters(^[a-z]{3}$)
|
||||
</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field1" rows="1">abc</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field2: exactly three digits(^[0-9]{3}$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field2" rows="1">123</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field3: letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field4: enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field4" rows="1">seven</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field5: simple zip code (^\d{5}$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field5" rows="1">01101</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field6: zip with optional dash four (^\d{5}(-\d{4})?$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field6" rows="1">90210-1111</textarea>
|
||||
</div>
|
||||
<p></p>
|
||||
<div>Field7: US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div>
|
||||
<div>
|
||||
<textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
|
||||
</div>
|
||||
<input type="hidden" value="" name="error" />
|
||||
<p><input type="submit" value="Submit" /></p>
|
||||
</form>
|
||||
|
||||
<script>
|
||||
let regex1=/^[a-z]{3}$/;
|
||||
let regex2=/^[0-9]{3}$/;
|
||||
let regex3=/^[a-zA-Z0-9 ]*$/;
|
||||
let regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/;
|
||||
let regex5=/^\d{5}$/;
|
||||
let regex6=/^\d{5}(-\d{4})?$/;
|
||||
let regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/;
|
||||
var validate = function() {
|
||||
let msg='JavaScript found form errors';
|
||||
let err=0;
|
||||
if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n bad field1';}
|
||||
if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n bad field2';}
|
||||
if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n bad field3';}
|
||||
if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n bad field4';}
|
||||
if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n bad field5';}
|
||||
if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n bad field6';}
|
||||
if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n bad field7';}
|
||||
document.frontendValidation.error.value = err
|
||||
if ( err > 0 ) {
|
||||
alert(msg)
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
</script>
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
</div>
|
||||
</div>
|
||||
</html>
|
||||
Reference in New Issue
Block a user