https://wiki.owasp.org/index.php?action=history&feed=atom&title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_15.3
OWASP ModSecurity Securing WebGoat Section4 Sublesson 15.3 - Revision history
2026-04-06T16:49:52Z
Revision history for this page on the wiki
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_15.3&diff=44214&oldid=prev
Stephen Evans at 08:19, 21 October 2008
2008-10-21T08:19:19Z
<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 08:19, 21 October 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l3" >Line 3:</td>
<td colspan="2" class="diff-lineno">Line 3:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson overview ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson overview ===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">Refer to the zip file </del>with the WebGoat lesson <del class="diffchange diffchange-inline">overviews. See Appendix A for more information</del>.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">The WebGoat lesson overview is included </ins>with the WebGoat lesson <ins class="diffchange diffchange-inline">solution</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson solution ===  </div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Lesson solution ===  </div></td></tr>
</table>
Stephen Evans
https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_15.3&diff=44003&oldid=prev
Stephen Evans at 11:07, 20 October 2008
2008-10-20T11:07:47Z
<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:07, 20 October 2008</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l78" >Line 78:</td>
<td colspan="2" class="diff-lineno">Line 78:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" </div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>   SecAction "t:none,nolog,id:'1530'"</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>   SecAction "t:none,nolog,id:'1530'"</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></pre></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Comments ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Comments ===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* This solution takes the RegExs used for client-side validation and incorporates them in ModSecurity rules.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* This solution takes the RegExs used for client-side validation and incorporates them in ModSecurity rules.</div></td></tr>
</table>
Stephen Evans
https://wiki.owasp.org/index.php?title=OWASP_ModSecurity_Securing_WebGoat_Section4_Sublesson_15.3&diff=44002&oldid=prev
Stephen Evans: add content
2008-10-20T11:06:59Z
<p>add content</p>
<p><b>New page</b></p><div>15. Parameter Tampering -> 15.3 Bypass Client Side JavaScript Validation<br />
<br />
=== Lesson overview ===<br />
<br />
Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.<br />
<br />
=== Lesson solution === <br />
<br />
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information. <br />
<br />
=== Strategy ===<br />
<br />
This WebGoat lesson demonstrates bypassing client-side validation using a web browser plugin such as IEWatch for IE or Firebug for Firefox. There are 7 different validation types and any field that does not meet the requirements will return an error message.<br />
<br />
Often in real word implementations, the RegExs in the HTML source code are taken and re-implemented within ModSecurity so that validation is properly enforced and cannot be bypassed.<br />
<br />
The ModSecurity solution will be to copy the RegExs from the HTML source and use them in ModSecurity rules. <br />
<br />
=== Implementation === <br />
<br />
A sample POST URI and parameters are (the 2nd entry should be on one line):<br />
<pre><br />
POST http://192.168.0.5/WebGoat/attack?Screen=31&menu=1600<br />
<br />
field1=abc&field2=123&field3=abc+123+ABC&field4=seven&field5=90210&<br />
field6=90210-1111&field7=301-604-4882<br />
</pre><br />
<br />
The 'rulefile_15-3_bypass-client-side-validation.conf' is:<br />
<pre><br />
# exactly three lowercase characters<br />
SecRule &ARGS_POST:field1 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field1 "!^[a-z]{3}$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# exactly three digits<br />
SecRule &ARGS_POST:field2 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field2 "!^[0-9]{3}$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# letters, numbers, and space only<br />
SecRule &ARGS_POST:field3 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field3 "!^[a-zA-Z0-9 ]*$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# enumeration of numbers<br />
SecRule &ARGS_POST:field4 "@eq 0" "nolog,skipAfter:1530" <br />
SecRule ARGS_POST:field4 "!^(one|two|three|four|five|six|seven|eight|nine)$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# simple zip code<br />
SecRule &ARGS_POST:field5 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field5 "!^\d{5}$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# zip with optional dash four<br />
SecRule &ARGS_POST:field6 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field6 "!^\d{5}(-\d{4})?$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html"<br />
<br />
# US phone number with or without dashes<br />
SecRule &ARGS_POST:field7 "@eq 0" "nolog,skipAfter:1530"<br />
SecRule ARGS_POST:field7 "!^[2-9]\d{2}-?\d{3}-?\d{4}$" \<br />
"phase:2,t:none,log,auditlog,deny,severity:3,msg:'15. Parameter Tampering -> \<br />
15.3 Bypass Client Side JavaScript Validation: malicious attempt to enter \<br />
invalid data',tag:'INJECTION_ATTACK',redirect:/_error_pages_/lesson15-3.html" <br />
SecAction "t:none,nolog,id:'1530'"<br />
<br />
=== Comments ===<br />
<br />
* This solution takes the RegExs used for client-side validation and incorporates them in ModSecurity rules.</div>
Stephen Evans