Penetration Testing mailing list archives
Re: To validate or not to validate: Client side validation
From: Alexander Klimov <alserkli () inbox ru>
Date: Tue, 27 Apr 2010 08:50:46 +0300
On Thu, 22 Apr 2010, Dotzero wrote:
Doing client input validation is not irrelevant to security. If I believe that I am implementing it correctly on the client then when I see something that violates that input validation I can reasonably assume that it is hostile and not accidental. Reducing noise is certainly a benefit. What is the risk of a false positive that impacts your normal users if you decide to send a reset or drop route on server side input validation failures if you are also doing the same input validation on the client vs not?
Do you advocate to declare hostile anyone who turns JavaScript off? -- Regards, ASK ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- To validate or not to validate: Client side validation pand0ra (Apr 20)
- RE: To validate or not to validate: Client side validation Paul Melson (Apr 22)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
- Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- <Possible follow-ups>
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)