Re: Exploiting an online store

[Nick FitzGerald <nick () virus-l demon co uk>]

fd () ew nsci us wrote:

> There is no client side security.  Period.  Who wrote the shopping cart 
> and allowed posting the price to it??  Wow ...

This is so true.

Something that _really_ annoys me, and displays the utter lack of clue 
of the whole "web development team" behind sites with such pages, are 
HTML forms that require JavaScript enabled in your browser just to 
submit the form.  The only "justification" for such idiocy is that the 
client-side script can save (a little) bandwidth (by preventing 
incomplete and/or bad data from being submitted and some form of error 
indication being sent back from the server) and reduce server-side 
overhead by removing the need to sanity-check the received data.  Of 
course, in the the real world, the server still has to sanity-check the 
data as filling the web form and submitting it via the script is not 
the only way that the code on the server that will process the 
submitted data can be exercised.  Failure to understand the latter has 
been very common among "web developers" who commonly have a mind-set 
entirely bounded by their perception of their design being used in an 
ordinary web browser (and often specifically IE, but we needn't go 
there at the moment...) and ignoring the reality of the situation which 
is that it is all just bits represented in electron patterns.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/