The other principal way in which applications use client-side controls to restrict data submitted by clients occurs with data that was not originally specified by the server but that was gathered on the client computer itself.
HTML forms are the simplest and most common way to capture input from the user and submit it to the server. With the most basic uses of this method, users type data into named text fields, which are submitted to the server as name/value pairs. However, forms can be used in other ways; they can impose restrictions or perform validation checks on the user-supplied data. When an application employs these client-side controls as a security mechanism to defend itself against malicious input, the controls can usually be easily circumvented, leaving the application potentially vulnerable to attack.
Consider the following variation on the original HTML form, which imposes a maximum length of 1 on the quantity field:
<form method=“post” action=“Shop.aspx?prod=1”> Product: iPhone 5 <br/> Price: 449 <br/> Quantity: <input type=“text” name=“quantity” maxlength=“1”> <br/> <input type=“hidden” name=“price” value=“449”> <input type=“submit” value=“Buy”> </form>
Here, the browser prevents the user from entering more than one character into the input field, so the server-side application may assume that the quantity parameter it receives will be less than 10. However, this restriction can easily be circumvented either by intercepting ...