Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: To validate or not to validate: Client side validation

From: Patrick Cornelißen <cornelis () pcornelissen de>
Date: Thu, 22 Apr 2010 19:46:21 +0200
Hi!

2010/4/19 pand0ra <pand0ra.usa () gmail com>


Question: You are doing code review and come across a javascript
application that does not do input validation. Would you have the
developer go back and write in input validation? If so, why? If not,
why?


When this is a pure JS app, then validation should be done where necessary.
Especially when a lot of "business logic" is located in the javascript client.

When the JS is just to make it look fancy and the real logic lies on
the server, you'll
probably be fine doing just server side validation.

just my 2 c

--
Bye,
 Patrick Cornelißen
 http://www.openprojectguide.org
 http://www.pcornelissen.de http://code.google.com/p/gloudy/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: