Full Disclosure mailing list archives
Re: Exploiting an online store
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 16 Sep 2005 11:45:33 +1200
fd () ew nsci us wrote:
There is no client side security. Period. Who wrote the shopping cart and allowed posting the price to it?? Wow ...
This is so true. Something that _really_ annoys me, and displays the utter lack of clue of the whole "web development team" behind sites with such pages, are HTML forms that require JavaScript enabled in your browser just to submit the form. The only "justification" for such idiocy is that the client-side script can save (a little) bandwidth (by preventing incomplete and/or bad data from being submitted and some form of error indication being sent back from the server) and reduce server-side overhead by removing the need to sanity-check the received data. Of course, in the the real world, the server still has to sanity-check the data as filling the web form and submitting it via the script is not the only way that the code on the server that will process the submitted data can be exercised. Failure to understand the latter has been very common among "web developers" who commonly have a mind-set entirely bounded by their perception of their design being used in an ordinary web browser (and often specifically IE, but we needn't go there at the moment...) and ignoring the reality of the situation which is that it is all just bits represented in electron patterns. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Exploiting an online store Josh perrymon (Sep 14)
- Re: Exploiting an online store Gadi Evron (Sep 14)
- Re: Exploiting an online store Valdis . Kletnieks (Sep 14)
- Re: Exploiting an online store fd (Sep 15)
- Re: Exploiting an online store Nick FitzGerald (Sep 15)
- <Possible follow-ups>
- RE: Exploiting an online store Thomas Quinlan (Sep 14)
- RE: Exploiting an online store Josh Perrymon (Sep 14)
- RE: Exploiting an online store lyal.collins (Sep 14)
- Re: Exploiting an online store Gadi Evron (Sep 14)