WebApp Sec mailing list archives
Re: Script Based Attacks & Form Hacks
From: "Sean Utt" <sean () strateja com>
Date: Thu, 21 Jul 2005 22:35:07 -0700
Hello,It is not unprofessional or insecure to use JavaScript to pre-check form data prior to submission, any more that it is unprofessional or insecure to tell the user what data needs to be entered into each field in the form. It would be insecure to rely on the JavaScript and to not check the data on the server side as though the JavaScript didn't exist. It would be inconsiderate to render the form unusable if JavaScript is disabled. Client side checking of form data is for user convenience (can prevent a round trip to the web server), not security or data integrity.
Slightly to one side of this: Tell the user what you expect them to enter in as data.Use client side JavaScript to try to catch errors/omissions before sending the form data, perhaps even do some pre-formatting.
If there are errors/omissions, tell the user again what data is expected.When the form is submitted, check the data again, and if there are errors/omissions, tell the user once again what data is expected.
Don't trust any data -- always check it, not matter where it came from. Don't assume that the data came from a program you created, so therefore it must be clean. Don't assume that the data came from another module of the program, so therefore it must be clean. It is the "responsibility" of every function, subroutine, module, program, script, etc. to validate the data it uses. Better to be redundant. If your program puts data in a database, immediately retrieves the data from the database and blindly uses that data on the assumption that because you wrote it there just a second ago it must be safe, you are sitting on a time bomb. It might not go off, but why take the chance?
Sean----- Original Message ----- From: "Paul Kurczaba" <seclists () securinews com>
To: "Chad Maniccia" <wopazar () gmail com> Cc: <webappsec () securityfocus com> Sent: Thursday, July 21, 2005 7:06 PM Subject: Re: Script Based Attacks & Form Hacks
To prevent automatic form submissions I use a custom written implementation of CAPTCHA (http://www.captcha.net/). This prevents robots from automatically setting up accounts. Many web developers do use client side JavaScript for controlling form submission data (ex. making sure all text boxes are filled, verifying email address structure, etc.) This is unprofessional and (could be) insecure. The form verification should be done on the server side.[snip]
Current thread:
- Script Based Attacks & Form Hacks Chad Maniccia (Jul 21)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 22)
- RE: Script Based Attacks & Form Hacks Serghei S. (Jul 22)
- RE: Script Based Attacks & Form Hacks Paul Laudanski (Jul 24)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks leighm (Jul 21)
- Re: Script Based Attacks & Form Hacks Christopher J Varenhorst (Jul 21)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Paul Kurczaba (Jul 21)
- Re: Script Based Attacks & Form Hacks Sean Utt (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Andrew van der Stock (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 22)
- Re: Script Based Attacks & Form Hacks Vicente Aguilera (Jul 22)
- Re: Script Based Attacks & Form Hacks Stephen de Vries (Jul 23)
- Re: Script Based Attacks & Form Hacks Christian Martorella (Jul 23)
- Re: Script Based Attacks & Form Hacks Saqib Ali (Jul 21)
- RE: Script Based Attacks & Form Hacks Jose Varghese (Jul 22)