Chapter 1 described how the core security problem with web applications arises because clients can submit arbitrary input. Despite this fact, a large proportion of web applications nevertheless rely upon various kinds of measures implemented on the client side to control the data that it submits to the server. In general, this represents a fundamental security flaw: the user has full control over the client and the data it submits, and can bypass any controls which are implemented on the client side and not replicated on the server.
There are two broad ways in which an application may rely upon client-side controls to restrict user input. First, an application may transmit data via the client component, using some mechanism that it assumes will prevent the user from modifying that data. Second, when an application gathers data that is entered by the user, it may implement measures on the client side that control the contents of that data before it is submitted. This may be achieved using HTML form features, client-side scripts, or thick-client technologies.
We will look at examples of each kind of client-side control and describe ways in which they can be bypassed.
It is very common to see an application passing data to the client in a form that is not directly visible or modifiable by the end user, in the expectation that this data will be sent back to the server in a subsequent request. Often, the application's ...