current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 0 down vote favorite

me for learning SQLI. But I got stuck at this one regex which seems to be unbreakable :

document.loginForm.username.value = document.loginForm.username.value.replace(/[^a-zA-Z0-9]/g, "");

If someone could give me any hint to this one? :)

Thanks

share|improve this question
    
It's javascript, so it is client side. You should be able to override it. –  edvinas.me Apr 15 at 10:37
    
But I need to use injection to bypass this –  Asak Apr 15 at 10:52
    
Yes you can just comment this line out. That's one way to bypass it. –  edvinas.me Apr 15 at 11:29
    
haha okay thanks man! –  Asak Apr 15 at 11:31
add comment

2 Answers

up vote 2 down vote

Disable your javascript.

If your using FireFox: Go to "about:config" then "javascript.enabled" set to "false"

If you just need to remove certain javascript as you rely on the other javascript install FireBug and remove the code you don't want.

share|improve this answer
    
It works! thank you –  Asak Apr 15 at 11:31
add comment
up vote 1 down vote

While the previous answer does explain how to do this, since this appears to be a demonstration problem, it is probably beneficial to give a little more explanation about why it works.

This example appears to be a demonstration of the weakness of client side code. In public networks, such as the Internet, client computers are pretty much never trusted. You don't know if they are an attacker or a legitimate user and even when a legitimate user, you don't know if they may be infected with some malware granting an attacker shared access to their system.

As such, any security that you push "client side" and depend on the client to behave well for are easily broken. In this case, the filtering of input was performed client side. In the real world, you often see this done to provide quicker response if the user makes an error. Server side validation is secure, but can only be performed when the client decides to submit information. Client side verification can detect a problem right a way and inform the user before they waste too much time.

Client side validation isn't bad for usability functionality, but it is important to remember that any client side functionality does not provide much, if any, meaningful added security. For example, a number of iterations of a password hash could be done client side, but then an attacker could just submit guesses that skip the hashing process on the client and guess the input directly. Similarly, as this problem demonstrates, Javascript validation of input can simply be stripped away entirely in a trivial manner.

All validation of security concerns should always be done in trusted code and with few exceptions, trusted code means running on the server that you control the hardware for.

share|improve this answer
    
oh great :) Now all my confusions regarding client side security are cleared. Very well explained thanks :) –  Asak Apr 17 at 5:38
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.