Webgoat - Bypass front-end restrictions

Webgoat – Bypass front-end restrictions

In this walk through, we will be going through the Bypass front-end restrictions vulnerability section from Webgoat Labs. We will be exploring and exploiting front-end restrictions and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Webgoat - Bypass front-end restrictions

1. Field Restrictions

  • In this challenge, we have to bypass client-side restrictions on the given input fields to complete the challenge.

Field Restrictions

  • Change the Option value in the source code using Dev Tools Inspector.

Drop-down menu

Select name

Radio Buttons:

  • Change the option value in the source code using Dev Tools Inspector.

Radio Buttons

Radio option


  • Add a value attribute with a random value and delete the other ones.


Checkbox option

Maximum characters restrictions:

  • Change the max length value to something of higher number.

Maximum characters restrictions

Bypassing character restriction

Readonly Input field:

  • Delete the readonly value using the Dev tools Inspector.

Readonly Input field

Bypassing Read only input restrictions


2. Validation

  • In this challenge, we have to bypass the regular expression client side restriction in the given fields.


  • I intercepted the request via Burpsuite and changed the field values. Forwarding the request marked the challenge as complete.

Burpsuite POST request

Making changes


Also Read: Mutillidae – Username Enumeration (Login)



So, we finally completed the Webgoat Bypass front-end restrictions Vulnerability section. Next, we can mitigate the potential front-end restrictions bypass attacks by processing data more on the server side and not give the user the access to interfere with the application’s logic by manipulating data on client side. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top