TestOps - Bypass of Disabled Input Fields via HTML Manipulation

Hello Katalon Team @albert.vu @Elly_Tran @vu.tran
I would like to report a bug on the Katalon TestOps platform

*Summary
By modifying the HTML code directly in the browser, I was able to bypass the disabled attribute on certain input fields and buttons. This allowed me to submit data that was supposed to be restricted, potentially leading to unintended actions or manipulation of restricted fields.

*Steps to reproduce

  1. Navigate to the webpage : Katalon TestOps
  2. Open the browser’s Developer Tools (e.g., by pressing F12 on Chrome).
  3. Inspect the disabled Create Trial Katalon Studio Enterprise Offline License button to get the URL
  4. Open the URL
  5. Open the browser’s Developer Tools (e.g., by pressing F12 on Chrome).
  6. Inspect the disabled Machine ID textfield
  7. Remove the disabled attribute from the HTML using the Developer Tools for the Machine ID textfield
  8. Inspect the disabled Create button
  9. Remove the disabled attribute from the HTML using the Developer Tools for the Create button
  10. Enter data into the previously disabled input field and submit the form.
  11. Observe that the data is successfully submitted, despite the field being disabled in the original page.

*Expected Results

  1. Input fields and buttons with the disabled attribute should remain uneditable and unclickable, even when the HTML code is manually modified using browser developer tools.
  2. Submitting data through disabled fields or buttons should be prevented by server-side validation, ensuring that unauthorized or unintended actions are not processed.
  3. Files generated through tampered fields should not be valid for activating Katalon Studio.
  4. A proper error message should be displayed if tampered data is detected, maintaining system integrity.

*Actual Results

  1. The disabled attribute on input fields and buttons can be bypassed by directly modifying the HTML in the browser.
  2. The Machine ID field and Create button, which are supposed to be restricted, became editable and clickable after removing the disabled attribute via browser developer tools.
  3. Data entered into these tampered fields was successfully submitted and processed by the system without any validation or restriction.
  4. Files generated from the tampered fields were valid and could be used to activate Katalon Studio, allowing for unauthorized or unintended activations.
  5. No error message or server-side validation prevented the unauthorized submission of data or the validity of generated files.

*Screenshots / Videos

*Blocker?
No

Number of affected users?
All of the Katalon TestOps users.


*Operating System
MacOS Sequoia

*Katalon Studio version
All of Katalon Studio version

*Katalon Studio logs
.

3 Likes

Thank you @depapp for reporting this bug to our team. :+1:


Hi em @Elly_Tran, can you take a look at this thread and forward it to the TestOps team if possible.

Thanks,
Albert

1 Like

anytime @albert.vu :beers:

1 Like

Hi @depapp,

Thank you for letting us know your problem. I will let my team know and investigate it. Update with you soon

1 Like

noted with thanks @Elly_Tran !