Watching the source code

Looking into a web page's source code allows us to understand some of the programming logic, detect the obvious vulnerabilities, and also have a reference when testing, as we will be able to compare the code before and after a test and use that comparison to modify our next attempt.

In this recipe, we will view the source code of an application and arrive at some conclusions from that.

Getting ready

For this recipe, start the vulnerable_vm.

How to do it...

1. Browse to http://192.168.56.102.
2. Select the WackoPicko application.
3. Right-click on the page and select View Page Source. A new window with the source code of the page will open:
   

   With the source code we can discover the libraries or external files that the page is using and where the links go. Also, as can be seen in the preceding image, this page has some hidden input fields. The selected one is MAX_FILE_SIZE; this means that, when we are uploading a file, this field determines the maximum size allowed for the file we are uploading. So, if we alter this value, we might be able to upload a file bigger than what is expected by the application; this represents an important security issue.

How it works...

The source code of a web page can be very helpful in finding the vulnerabilities and analyzing the application's response to the input we provide. It also gives us an idea of how the application works internally and whether it uses any third-party library or framework.

Some applications also include input validation, codification, or cyphering functions made in JavaScript or any other script language. As this code is executed in the browser, we will be able to analyze it by viewing the page's source; once we look at a validation function, we can study it and find any security flaw that may allow us to bypass it or alter the result.