Penetration Testing mailing list archives
Re: To validate or not to validate: Client side validation
From: Joe Peters <joepete () joepete com>
Date: Tue, 20 Apr 2010 18:47:42 -0400
Considering javascript is easily circumvented or manipulated at the browser level - not to mention the vast usability issues at stake - I would note it, but not require it. Ultimately for a Web app. all validation must be done on the server end. Sure, javascript validation may be a nice-to-have, but there is no guarantee as to how it will behave on the end-user's platform. -- JoePete On Mon, 2010-04-19 at 14:41 -0600, pand0ra wrote:
Question: You are doing code review and come across a javascript application that does not do input validation. Would you have the developer go back and write in input validation? If so, why? If not, why? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- To validate or not to validate: Client side validation pand0ra (Apr 20)
- RE: To validate or not to validate: Client side validation Paul Melson (Apr 22)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
- Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- <Possible follow-ups>
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)