Technical Report

Improper Server-Side Input Validation

Medium Severity Category: Input Validation Context: Lab Testing

Overview

During authorized manual testing, an improper input validation vulnerability was identified. The application relied solely on client-side validation for the user_type field, while the server accepted any arbitrary value submitted directly to the API endpoint.

Technical Description

The application's registration or profile update endpoint included a user_type field that determined the user's role within the system. While the front-end interface restricted this field to predefined options (e.g., "student", "user"), the server-side logic did not enforce these constraints.

By intercepting the request and modifying the user_type parameter to an arbitrary value (such as "admin"), it was possible to assign unintended roles to the account. This indicates a lack of server-side validation and improper trust in client-side controls.

Steps to Reproduce

POST /api/profile/update HTTP/1.1 Content-Type: application/json { "username": "tester", "user_type": "admin" <-- Modified from "user" }
  1. Navigate to the registration form.
  2. Fill in fields and capture request in Burp Suite Proxy.
  3. Modify the user_type parameter value to "admin".
  4. Observe that the server accepts the value and assigns the role.

Remediation

The following measures are recommended to address this vulnerability:

  • Implement strict server-side validation against an allowlist.
  • Reject any requests containing invalid user_type values.
  • Enforce Role-Based Access Control (RBAC) at the server level.
  • Log unauthorized role assignment attempts.
Back to Writeups