HTML Restrictions

When HTML code is generated, various restrictions can be put on objects manipulated by users. As a rule, these restrictions are set with attribute values of tags.

The maxlength attribute of text input fields such as textarea, text , or password limits the length of text that the user can type into the textbox.

 <form name=f1 action=post.php> name: <input type=text name=name maxlength=35> e-mail: <input type=text name=email maxlength=20> password: <input type=password name=pass maxlength=30> <textarea cols=30 rows=6 name=message maxlength=500> </form> 

However, you should always check the maximum length of data received on the server because the value of this attribute is just a recommendation for a browser or a user.

You can simply truncate excessive portions of data to control their maximum length.

 <? $name=$_POST['name']; $email=$_POST['email']; $pass=$_POST['pass']; $message=$_POST['message']; if(strlen($name)>35) $name=substr($name, 0, 35); if(strlen($email)>35) $name=substr($email, 0, 20); if(strlen($pass)>35) $name=substr($pass, 0, 30); if(strlen($message)>35) $name=substr($message, 0, 500); // Manipulations with $name, $email, $pass, and $message ?> 

A malicious user can always bypass this restriction by directly editing the HTML page saved on the hard disk and changing the action field of the form.

In addition, he or she can directly connect to the server's HTTP port and create his or her own HTTP request with the desired data of the desired length. The size of the data cannot be checked on the client.

Another example of an HTML restriction is the maximum size of a file sent with the HTTP POST method.

 <form enctype="multipart/form-data" method=POST action=upload.php> <input type=hidden name=MAX_FILE_SIZE value=1000> Send this file: <input name=userfile type=file> <input type=submit value="Send File"> </form> 

This restriction is set in the MAX_FILE_SIZE hidden parameter. As always, the attacker can edit the HTML code of a page after saving it on the hard disk.

However, the receiving script can check the value of the MAX_FILE_SIZE parameter. In this case, editing the HTML page would be pointless. To bypass this, the attacker can manually create an HTTP request containing the desired values of parameters and the file with the desired size.

You can check the size of a file after it is loaded, or you can adjust the PHP interpreter's configuration file.

Another common programming error occurs when a programmer doesn't assume the attacker will be able to change the values of fields when the sets of these values are restricted in the HTML code. Examples of such fields are drop-down lists, radio buttons , and checkboxes.

 <form action=test.php method=POST> Enter search parameters: <br> Name: <input type=search name=main><br> Search in the news <input type=checkbox name=new value=yes><br> Combine the words with AND<input type=radio name=mode value=and>, OR<input type=radio name=mode value=or> Search in section: <select name=section> <option value=0> [any] </option> <option value=1> main </option> <option value=2> second </option> <option value=3> third </option> </select> 

A typical mistake here is that the programmer expects the parameter values will fall into certain ranges and doesn't properly filter data received from users. Indeed, the attacker cannot edit form parameters directly so that the section value is other than 0, 1, 2, or 3. (Similarly, he or she cannot edit the other parameters.)

However, the attacker can save the page on the disk and set any values he or she likes for these fields. As a variant, the attacker can change the types of these fields to text or textarea , thus obtaining an HTML page, in which he or she can specify any values for the parameters. Finally, the attacker always can create an HTTP request with any values he or she likes and send it to the server.