Penetration Testing mailing list archives
Re: To validate or not to validate: Client side validation
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 21 Apr 2010 10:18:13 -0500
pand0ra <pand0ra.usa () gmail com> writes:
Question: You are doing code review and come across a javascript application that does not do input validation. Would you have the developer go back and write in input validation? If so, why? If not, why?
I suspect from your question you already have a sense of the answer. :-) If it makes data entry more efficient and user-friendly to enter, yes. But you certainly don't want to suggest that they use Javascript (or any client side) validation and rely on it for security purposes. Those validations must be done at the server since any client side controls can be bypassed. http://www.owasp.org/index.php/Reviewing_Code_for_Data_Validation#Never_Rely_on_Client-Side_Data_Validation http://www.owasp.org/index.php/Validation_performed_in_client Best Regards, -- Todd Haverkos http://www.linkedin.com/in/toddhaverkos ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- To validate or not to validate: Client side validation pand0ra (Apr 20)
- RE: To validate or not to validate: Client side validation Paul Melson (Apr 22)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
- Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- <Possible follow-ups>
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)