Key Information Vulnerability Description Vulnerability Type: Client-side validation bypass, allowing insertion of special characters into user data. Platform: Litmus Chaos Version: 3.19.0 Summary A validation flaw was discovered in the LitmusChaos platform, enabling attackers to bypass client-side restrictions and submit special characters (e.g., ) into user profile fields such as display name. The backend does not enforce the same restrictions, leading to inconsistent input handling and potential downstream issues. Details The application enforces input restrictions (e.g., disallowing special characters in usernames) only at the frontend level using JavaScript or HTML5 validation. These restrictions can be easily bypassed by directly manipulating requests, allowing unintended data to be stored and displayed. Test Scenario 1. Log in as an administrator. 2. Attempt to change the display name in the user profile using special characters. 3. Frontend displays validation error, blocking submission. 4. Intercept the HTTP request for profile update using Burp Suite. - Endpoint: 5. Manually modify the name field to include special characters. 6. Forward the modified request to the backend. 7. Receive a successful response from the server; the change is reflected in the user interface. PoC In the test scenario, an admin account was used to attempt changing the username by inserting special characters. Initially, the frontend application blocked this action, indicating basic validation. When intercepting the request to update user data, specifically for the endpoint, the validation was easily bypassed. In the intercepted request, the field referencing the username was modified to include the desired special characters. After sending the modified request, the backend returned a success message. In the application interface, the username was successfully changed and displayed with special characters. Impact While this issue may appear minor at first glance, the lack of proper server-side input validation opens the door to: - Inconsistent application behavior; - Potential injection vectors (e.g., if this data is later rendered in HTML, logs, or emails without sanitization); - Compromised data integrity.