Client Side Resource Manipulation

Check List

Methodology

Black Box

JavaScript Price Manipulation

1

Login to your account

2

Open the product page and inspect client-side JavaScript

3

Identify pricing logic inside JS file

GET /static/app.js HTTP/1.1
Host: target.com

4

Locate price calculation function

function calculateTotal(price, quantity){
   return price * quantity;
}

5

Add product to cart and intercept request

POST /api/cart/update HTTP/1.1
Host: target.com
Cookie: session=abc123
Content-Type: application/json

{"productId":101,"quantity":1,"total":100}

6

Modify total value

{"productId":101,"quantity":1,"total":1}

7

Forward the request, Proceed to checkout

8

If backend accepts manipulated total without recalculating server-side, client-side resource manipulation is confirmed

---

Hidden Form Field Manipulation

1

Login as a normal user

2

Access profile update page, Inspect hidden input fields in HTML

<input type="hidden" name="accountType" value="basic">

3

Intercept profile update request

POST /profile/update HTTP/1.1
Host: target.com
Cookie: session=abc123
Content-Type: application/x-www-form-urlencoded

username=user1&accountType=basic

4

Modify hidden parameter

username=user1&accountType=premium

5

Forward the request, If account privileges change based on modified hidden field without server validation, manipulation vulnerability is confirmed

---

JavaScript-Based Access Control

1

Login as normal user

2

Inspect JavaScript file for role-based UI control

if(user.role === "admin"){
   showAdminPanel();
}

3

Manually modify role value in browser console

user.role="admin"
showAdminPanel();

4

Access admin endpoint

GET /api/admin/dashboard HTTP/1.1
Host: target.com
Cookie: session=abc123

5

If backend does not validate role and grants access based on client-side state, access control depends on client resources

6

If privilege escalation occurs due to client-side modification, resource manipulation vulnerability is confirmed

---

White Box

Cheat Sheet