Client side validation bypass

How We Found It

On the home page, there is a link to a survey page. this page has a list of subject, an average score and a number of vote. We can give a grade between 0 and 10.
But what if we change in the html page, the value of a score and put something bigger than 10, can we put a grade of 1000 ?
Yes we can, and we get a flag.

Utility of It

This allows an attacker to:

Submit invalid or malicious data (e.g., score > 10).
Manipulate application logic (e.g., gain unfair advantage or retrieve flags).
Potentially exploit further vulnerabilities if the data is used insecurely elsewhere (e.g., SQL injection, XSS).

How Can We Patch It

Validate all input on the server side regardless of client-side checks.
Enforce boundaries (e.g., score must be between 0 and 10) on the backend.
Use a schema validation library or built-in mechanisms to reject bad data.
Never trust client-side data blindly — browsers can be manipulated.