Many websites lack client-side filter checks, so it becomes easy to bypass that. But, our bypass will only be successful if there is no server-side filter check either. First, let’s dig a little bit about the client-side filter bypass.
These filters ensure that the input given by the user is in the correct format. Basically, this filter validates the input, and then it is forwarded to the server-side. For example: If you don’t put ‘@’ in your email id, or if u don’t click on terms and conditions if you insert alphabets in phone no. field, you are prompted to enter valid inputs.
Prerequisites: The basic knowledge of Burp suite or any proxy which intercepts the data.
Steps to Bypass The Filters
Step 1: Enter the correct data in the correct format in the field.
Step 2: Open Burp suite and turn the intercept on.
Step 3: Click on the REGISTER button in the form.
Step 4: Open burp suite and you will see something like this:
Now, you see that ‘@’ is converted into %40 and notice at the end there is ‘&terms=true’ depicting the terms and conditions. Our motive is to bypass the terms and condition filters as well as correct formatted email filters.
Step 5: Let’s delete the ‘&terms=true’ and also %40 (which denotes ‘@’ of an email id) from the Burp Suite.
Step 6: Turn off the intercept and see the magic.
Now, you might think what’s a big deal in bypassing these filters. Well, this was just basic. Let’s see what can be done by bypassing the client-side filters. Suppose, you have ordered a product in a website which lacked client-side and server-side filter checks and you proceed to check out an item as follows:
As you can see, you don’t have enough balance to buy that item. But, we can try our luck by opening the Burp suite and intercepting the request to check if we can tamper with the data:
Step 1: Turn the intercept on of burp suite and you will see something as follows:
Step 2: Here, you will notice a parameter named discount. Let’s try to increase the discount value to our product price value and check if there is any filter.
Step 3: Turn off the intercept of the Burp suite and see the magic.