There are several ways to bypass client-side validation of any kind and the methods are all quite easy.
First, by "validation" I am referring to the actions that you take to ensure that the data that is being sent to the application conforms with what you are expecting. If you want to make sure that the "firstName" contains only letters, spaces and apostrophes and can only be 20 characters long, you would use validation.
But both of these methods of validation, and any other client-side validation, can be bypassed. Here are a few options for bypassing client-side validation:
- Using a browser tool, like Firebug, to change the HTML to remove the maxLength property
- Creating a completely separate page with NO validation - this can be done from anywhere, even on the hacker's desktop, then post it to the server. Here is an example
- Using a proxy tool like WebScarab or Tamper Data - This will allow the hacker, to intercept any submitted data and manipulate it before sending it on to the server
Vulnerabilities in client-side validation are not exclusive to Web Applications. They can also exist in Adobe AIR applications and any other desktop application that makes calls to a remote server.
The moral of this story is that client-side validation is NEVER sufficient for securing your applications. All data must be validated at the server. This includes validation for data type and length. Client-side validation can, and should be, be used to enhance the user experience only.