Penetration Testing mailing list archives
Re: To validate or not to validate: Client side validation
From: Robinson Delaugerre <rdelaugerre () sdninternational com>
Date: Tue, 20 Apr 2010 22:27:28 +0200 (CEST)
Input validation has to be done *somewhere*, but if you do it client-side, you must do it again server side, because anyone can bypass your nice js interface. So doing it client-side is just a courtesy to the user, so that it does not take a back-and-forth between client and server to tell the user the email he provided doesn't contain an @. But as you mustn't rely on client validation, whether it's done or not is purely ux-based, and therefore irrelevant to security in my book. I'd be interested in opposed opinions though.. Rob' ----- Mail Original ----- De: "pand0ra" <pand0ra.usa () gmail com> À: "pen-test" <pen-test () securityfocus com> Envoyé: Lundi 19 Avril 2010 22:41:47 Objet: To validate or not to validate: Client side validation Question: You are doing code review and come across a javascript application that does not do input validation. Would you have the developer go back and write in input validation? If so, why? If not, why? ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- To validate or not to validate: Client side validation pand0ra (Apr 20)
- RE: To validate or not to validate: Client side validation Paul Melson (Apr 22)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
- Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- <Possible follow-ups>
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)