Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: To validate or not to validate: Client side validation

From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 20 Apr 2010 16:14:19 -0400
Question: You are doing code review and come across a javascript
application that does not do input validation. Would you have the
developer go back and write in input validation? If so, why? If not,
why?


Where does the app run?  If it's client-side, and there's no user-interface
gains, I would leave it alone and settle for validating that any server-side
component of the app is handling input validation.  The reason being the
obvious - that client-side input validation is trivially circumvented, so
it's not worth my time or the developer's.

PaulM







------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: