Exercise Notes

Learning goals

  • Organisational policies and procedures relating to the tasks being undertaken, and when to follow them, for example the storage and treatment of GDPR sensitive data
  • Interpret and implement a given design whist remaining compliant with security and maintainability requirements
  • Conduct security testing

Programs used

Invalid data

Clone the starter repo here to your machine and follow the instructions in the README to run the app.

The app’s frontend contains a simple input field. Whatever is submitted here should be printed to the console.

You may note that this field requests a phone number. However, if you experiment, you should find that you’re able to submit any data to the input field. There’s no client-side validation.

Adding client-side validation

We want to prevent users from being able to submit data that isn’t a phone number to our backend. Think about what defines a phone number and add some validation based on this. Things to consider might include:

  • What type of characters does the input field permit?
  • How many characters are expected?

Tip

Remember that client-side validation is primarily for the benefit of the user, so be sure to have an informative message appear if the user enters invalid data.

At a minimum, the validation should prevent invalid data being sent to the server when Submit is clicked. However, if you have time, you may also wish to use JavaScript to enable or disable the Submit button based on the field validity.

Bypassing client-side validation

Now that you’ve added client-side validation, we’re going to try and bypass it. Use developer tools (or something else) to bypass this and send invalid data to the server.

What happens? Do you get a sensible error message back?

Adding server-side validation

As has hopefully been demonstrated above, server-side validation should be your primary line of defence against invalid data entering your system.

Your task is to now add server-side validation to the endpoint that receives requests from the front-end form. A non-exhaustive list of things to check for includes:

  • Valid data sent to your endpoint is still printed to the console
  • Invalid data sent to your endpoint is not printed to the console
  • Invalid data sent to your endpoint causes a sensible HTTP error response to be returned
  • What qualifies as “invalid” data is consistent with your client-side validation

You can check that your server-side validation is working by bypassing the client-side validation in the same way you did above. You should now receive a sensible error code in response and the invalid input should not be printed to the console.

XSS attack

Recall from the Tests 2 module that Penetration testing is a form of non-functional testing where an external party is hired to try to gain unauthorised access to your system. Now you can try being a penetration tester.

Have a go at performing your own XSS attack with Google’s XSS Game. Can you complete all of the challenges?

Stretch

If you enjoyed the XSS game, OverTheWire has a series of hacking “wargames”. Bandit is a perfect place to start.

Warning

Gaining unauthorised access to servers is punishable by up to two years imprisonment even if you have no intention of committing a further offence. Make sure you have permission before practising your hacking skills!