← Back to Projects

Improper Server-Side Input Validation

Medium Severity Category: Input Validation Context: Authorized Internship Testing

Overview

During authorized manual testing as part of the UptoSkills cybersecurity internship, an improper input validation vulnerability was identified. The application relied solely on client-side validation for the user_type field, while the server accepted any arbitrary value submitted directly to the API endpoint.

Environment Tested

Testing was conducted on an authorized test environment provided as part of a structured cybersecurity internship program. All testing was performed within the defined scope and with explicit authorization.

  • Testing Type: Manual Web Application Security Testing
  • Authorization: Internship program scope (authorized)
  • Tool Used: Burp Suite (Proxy, Repeater)

Technical Description

The application's registration or profile update endpoint included a user_type field that determined the user's role within the system. While the front-end interface restricted this field to predefined options (e.g., "student", "user"), the server-side logic did not enforce these constraints.

By intercepting the request and modifying the user_type parameter to an arbitrary value (such as "admin"), it was possible to assign unintended roles to the account. This indicates a lack of server-side validation and improper trust in client-side controls.

Steps to Reproduce

  1. Navigate to the registration or profile update form
  2. Fill in the required fields and select a standard user type from the dropdown
  3. Capture the outbound request using Burp Suite Proxy
  4. Modify the user_type parameter value to an arbitrary or elevated role
  5. Forward the modified request to the server
  6. Observe that the server accepts the modified value without validation and assigns the arbitrary role

Impact

The lack of server-side validation on the user_type field can lead to:

  • Privilege escalation through unauthorized role assignment
  • Access to restricted functionality or administrative features
  • Potential data exposure if elevated roles grant access to sensitive information
  • Bypass of intended access control mechanisms

Remediation

The following measures are recommended to address this vulnerability:

  • Implement strict server-side validation for the user_type field against an allowlist of permitted values
  • Reject any requests containing invalid or unexpected user_type values with an appropriate error response
  • Do not rely on client-side validation as a security control; always enforce server-side checks
  • Implement role-based access control (RBAC) that is enforced at the server level
  • Log and monitor requests that attempt to submit unauthorized role values for security alerting