Re: To validate or not to validate: Client side validation

[Robinson Delaugerre <rdelaugerre () sdninternational com>]

Input validation has to be done *somewhere*, but if you do it client-side, you must do it again server side, because 
anyone can bypass your nice js interface. So doing it client-side is just a courtesy to the user, so that it does not 
take a back-and-forth between client and server to tell the user the email he provided doesn't contain an @.

But as you mustn't rely on client validation, whether it's done or not is purely ux-based, and therefore irrelevant to 
security in my book.

I'd be interested in opposed opinions though..

Rob'

----- Mail Original -----
De: "pand0ra" <pand0ra.usa () gmail com>
À: "pen-test" <pen-test () securityfocus com>
Envoyé: Lundi 19 Avril 2010 22:41:47
Objet: To validate or not to validate: Client side validation

Question: You are doing code review and come across a javascript
application that does not do input validation. Would you have the
developer go back and write in input validation? If so, why? If not,
why?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------