Web for Idiots (Client-side Verification)

Congratulations on coming this far! This will be the last challenge, and will yield the flag to you upon completion.

Made with love by Lord_Idiot

Topics Covered

Basics of Web Requests

How do we go from typing a url in the address bar to viewing the webpage in our browser?

Simple Web Reconnaissance

Basic techniques to gain a better understanding of the target website

Client-side Verification

What it is, and what could happen if used incorrectly

Client-side Verification

Verification in the web world can take place generally in two-forms, client-side and server-side. And making the wrong choice can lead to security bypasses and issues. Thus, it is important to understand this concept well, whether you wish to secure websites or break into them.

What is verification?

Verification in this context just means checking for certain conditions before allowing for a certain action to be performed. One example of verification everybody should know of is log-in verification. In order to determine whether the user is allowed to log-in to a specific account, the user must provide the correct password, which the website should verify as valid before allowing the user to proceed to log-in.

When to use server-side

Server-side verification should be used for security critical verifications. Such examples include

However, verification that are not security critical can be delegated to the client-side, which reduces the amount of information the server will have to process, saving cost and improving performance.

When to use client-side

Here are some examples of verifications one might need to perform, but are not security-related and thus can be done in the client-side, using technologies like Javascript. Javascript basically gives instructions to the browser, for the browser to perform the actions instead of an external server. Such javascript instructions can be embedded in the HTML of the page sent to the browser.

Misusing Client-side Verification

If you mistakenly use client-side verification, this may cause security issues. Client-side verifications rely on the browser to enforce the verification. Considering the browser is a program that the user runs on his own computer, such checks can thus be circumvented by preventing the browser from performing the checks, or through other means.

Mistakenly performing client-side verification is similar to conducting an exam, but providing students with the answer sheet at the back. Such mistakes may not be caught, but once students realise that the answers are at the back, there is no way to stop them from just copying the answers to get a perfect score. Instead, exams usually have students take the test with a paper lacking the answers, and the answers are verified by the examining body (the server side), this is the proper way to go about with such verifications.

Comic #2 - Client-side Verification in Exams

The Challenge

Now that you understand the issues with using client-side verification. Here is a simple client-side verification challenge for you embedded in this website

Here is a password checker, if you get the correct password, you get the flag! To view the Javascript code that performs the checking, use Control + U to view the HTML source and understand the Javascript code.

Password:


Result: