Listen to this Post

Introduction:
Server-side validation is the last line of defense against malformed or malicious input. When developers rely solely on client-side checks or fail to enforce mandatory fields on the backend, attackers can simply remove parameters from API requests to bypass business logic. This article dissects a real-world registration bypass discovered on gifty.nl, where removing the VAT field from the registration request still created a valid account – a classic missing server-side validation flaw that exposes invoicing and compliance systems to abuse.
Learning Objectives:
- Understand how parameter removal bypasses server-side validation and leads to account registration flaws.
- Learn to test for missing server-side validation using proxy tools (Burp Suite), curl, and custom scripts.
- Implement robust server-side validation, schema enforcement, and logging to prevent registration bypass vulnerabilities.
You Should Know:
- Exploiting Missing Server-Side Validation – Removing a Required Field
This vulnerability occurs when the frontend expects a VAT field, but the backend does not verify its presence. An attacker intercepts the registration request, deletes the “vat” parameter, and forwards it. If the server still creates the account, the flaw is confirmed.
Step‑by‑step exploitation using Burp Suite:
- Configure Burp Suite as a proxy (listening on 127.0.0.1:8080) and install its CA certificate on your test device.
- Navigate to the target registration page (e.g., `https://gifty.nl/register`).
- Fill all legitimate fields (name, email, password) but leave the VAT field empty.
- Turn on Burp’s intercept, submit the form, and capture the POST request.
- Locate the parameter `vat=…` in the request body (or URL if GET). Remove the entire line or key-value pair.
- Forward the modified request. If the server responds with HTTP 200 or a success message and the account is created, the vulnerability exists.
Linux command using curl (parameter removal):
Original request with VAT field curl -X POST https://gifty.nl/api/register \ -d "name=test&[email protected]&vat=NL123456789&password=SecurePass123" Exploit – remove VAT parameter entirely curl -X POST https://gifty.nl/api/register \ -d "name=test&[email protected]&password=SecurePass123"
Windows PowerShell equivalent:
$body = @{name='test'; email='[email protected]'; password='SecurePass123'}
Invoke-RestMethod -Uri 'https://gifty.nl/api/register' -Method Post -Body $body
If both commands succeed, the server does not validate mandatory fields – a critical oversight.
- Testing for Missing Schema Validation with Custom Fuzzing
Beyond simple removal, attackers can fuzz parameter names to find other missing validations. Use tools like `ffuf` or Burp Intruder to send requests with different sets of parameters.
Step‑by‑step fuzzing with ffuf (Linux):
- Create a wordlist of common parameter names (e.g.,
vat,tax_id,business_id,company_reg). - Use ffuf to replace the VAT parameter with each wordlist entry or omit it:
ffuf -u https://gifty.nl/api/register -X POST \ -d "name=test&[email protected]&FUZZ=bypass&password=SecurePass123" \ -w wordlist.txt -fc 400,401,403,404
- Also test with an empty value: `vat=` or
vat=%00. - Monitor server responses – any 200 OK with a new account indicates flawed validation.
Burp Intruder method:
- Send the captured registration request to Intruder.
- Set a payload position on the parameter name (e.g., `vat` ->
§vat§=NL123). - Use a “Null payloads” set with “Generate empty” option to remove the parameter completely.
- Start attack – any successful registration (no error message about missing VAT) flags the vulnerability.
- Server‑Side Mitigation – Enforcing Mandatory Fields with Strict Schema Validation
To fix this flaw, developers must validate the presence, type, format, and business logic of every input field on the server, independent of client‑side input.
Step‑by‑step secure implementation (Node.js/Express example):
const { body, validationResult } = require('express-validator');
app.post('/api/register',
body('name').notEmpty().trim(),
body('email').isEmail().normalizeEmail(),
body('vat').notEmpty().withMessage('VAT number is required').matches(/^[A-Z]{2}[0-9A-Z]{6,12}$/),
body('password').isLength({ min: 8 }),
(req, res) => {
const errors = validationResult(req);
if (!errors.isEmpty()) {
return res.status(400).json({ errors: errors.array() });
}
// Proceed with registration only after validation passes
createAccount(req.body);
}
);
Python (Flask) equivalent:
from flask import request, jsonify
from marshmallow import Schema, fields, ValidationError
class RegisterSchema(Schema):
name = fields.Str(required=True)
email = fields.Email(required=True)
vat = fields.Str(required=True, validate=lambda x: x.startswith('NL'))
password = fields.Str(required=True, load_only=True)
@app.route('/api/register', methods=['POST'])
def register():
schema = RegisterSchema()
try:
data = schema.load(request.json)
except ValidationError as err:
return jsonify(err.messages), 400
Create account
Always use schema‑based validation libraries – they automatically reject requests with missing or extra fields.
- API Security – Enforcing OpenAPI Contracts with Gateway Validation
For microservices, enforce a strict API contract using OpenAPI (Swagger) specs. Implement a gateway (e.g., KrakenD, Kong, or AWS API Gateway) that validates requests against the schema before they reach the backend.
Step‑by‑step OpenAPI validation with a gateway:
- Define your registration endpoint in `openapi.yaml` with the VAT field marked as
required: true./register: post: requestBody: required: true content: application/json: schema: type: object required: [name, email, vat, password] properties: vat: type: string pattern: '^[A-Z]{2}[0-9A-Z]{6,12}$' - Deploy an API gateway with OpenAPI validation enabled (e.g., using `express-openapi-validator` in Node.js or `connexion` in Python).
- Configure the gateway to reject any request that does not conform – including missing `vat` fields – with HTTP 400 before it reaches your business logic.
Command to test API gateway enforcement:
curl -X POST https://api.gifty.nl/register \
-H "Content-Type: application/json" \
-d '{"name":"test","email":"[email protected]","password":"pass"}' \
-w "%{http_code}" Should return 400, not 200
- Cloud Hardening – Using WAF Rules to Block Parameter Tampering
Cloud Web Application Firewalls (AWS WAF, Cloudflare, Azure WAF) can be configured with custom rules to detect when a required parameter is missing.
Step‑by‑step AWS WAF rule for mandatory fields:
- Create a WAF Web ACL and associate it with your CloudFront or ALB.
- Add a custom rule with statement: “Has a parameter” – check the request body for the `vat` key.
- Set the action to “Block” when the parameter is absent.
- Use a JSON parsing rule body:
{ "Name": "RequireVATField", "Priority": 10, "Statement": { "NotStatement": { "Statement": { "ByteMatchStatement": { "SearchString": "\"vat\":", "FieldToMatch": { "Body": {} }, "TextTransformations": [], "PositionalConstraint": "CONTAINS" } } } }, "Action": { "Block": {} } } - Save and test – any POST without `”vat”:` gets blocked before hitting your origin.
Cloudflare WAF using Custom Rules (expression syntax):
(http.request.method eq "POST" and http.request.uri.path eq "/register" and not any(http.request.body.raw contains "vat"))
This blocks requests lacking the VAT field.
- Vulnerability Mitigation – Logging and Monitoring for Parameter Tampering
To detect exploitation attempts, implement logging and alerting on malformed requests. Use SIEM or ELK stack to correlate missing fields from the same source IP.
Step‑by‑step logging with custom middleware (Node.js):
app.use((req, res, next) => {
if (req.path === '/api/register' && req.method === 'POST' && !req.body.hasOwnProperty('vat')) {
console.warn(<code>Missing VAT field from IP ${req.ip} - ${req.headers['user-agent']}</code>);
// Send alert to SIEM
logToSIEM({ event: 'missing_mandatory_field', field: 'vat', ip: req.ip });
}
next();
});
Linux command to monitor logs in real‑time:
tail -f /var/log/nginx/access.log | grep "POST /api/register" | grep -v "vat"
Windows PowerShell (monitoring IIS logs):
Get-Content -Path "C:\inetpub\logs\LogFiles\W3SVC1\u_ex.log" -Wait | Select-String "POST /api/register" | Select-String -NotMatch "vat"
What Undercode Say:
- Key Takeaway 1: Missing server-side validation is not a theoretical risk – it directly allows account registration bypass, leading to compliance fraud and business logic abuse, as shown in the gifty.nl bug report.
- Key Takeaway 2: Defenses must be layered: schema validation on the backend, API gateway enforcement, WAF rules, and active monitoring. Never trust the client to send all required parameters.
The gifty.nl case is a textbook example of how developers over-rely on frontend forms. The bug bounty response (“already reported, on backlog”) is worrying – such flaws often remain unpatched for months. Attackers can automate parameter removal using simple curl scripts, scaling account creation for fake VAT numbers or tax evasion. Organizations must prioritize server-side validation as a critical security control, not a “nice to have.” Using OpenAPI contracts and gateway‑level validation eliminates entire classes of parameter tampering. Additionally, red teams should always test for missing fields when assessing registration, profile update, and payment APIs – you’ll be surprised how many fail.
Prediction:
As API-driven architectures and microservices grow, missing server-side validation will become a top-10 vulnerability in automated scanners by 2027. AI‑powered fuzzing tools will automatically generate parameter removal payloads, increasing discovery rates. Conversely, we will see wider adoption of “strict mode” validation frameworks and zero‑trust API gateways that default‑deny any request deviating from a declared schema. Compliance frameworks (PCI DSS v4.0, ISO 27001:2025) will explicitly mandate server-side presence checks for all mandatory data fields, turning this into a regulatory requirement rather than a best practice.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ankit Pandey – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


