Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web App Hacker's Handbook (WAHH): Question about Chapter 5

Bo | Last updated: Aug 21, 2020 02:07PM UTC

Hi, I have a question about Chapter 5 of WAHH. On page 130, where it is talking about "Script Based Validation", it says instead of disabling JavaScript, we can intercept the validated submission from the browser to the server and modify the data, or intercept the server's response that contains the JavaScript validation routine and modify the script. I can understand intercepting the validated submission from the browser, since we can edit this with Burp and then forward it to the server. But what does "intercept the server's response" mean? Can someone clarify this. Why does the server's response have the validation the routine? I thought the validation routine is written on the * client *, in the browser? Similarly, on page 128, in the "Length Limits" section, it talks about bypassing the length restriction by either: ---1: intercepting the request containing the form submission to enter an arbitrary value, or ---2: intercepting the response containing the form to remove the maxlength attribute. My question for this page is similar, how does editing the server's response allow the maxlength attribute to be affected? This sounds like it is saying the server sends the form to the client, but I thought the form is already on the client?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.