Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: To validate or not to validate: Client side validation

From: Joe Peters <joepete () joepete com>
Date: Tue, 20 Apr 2010 18:47:42 -0400
Considering javascript is easily circumvented or manipulated at the
browser level - not to mention the vast usability issues at stake - I
would note it, but not require it.

Ultimately for a Web app. all validation must be done on the server end.
Sure, javascript validation may be a nice-to-have, but there is no
guarantee as to how it will behave on the end-user's platform.

--
JoePete


On Mon, 2010-04-19 at 14:41 -0600, pand0ra wrote: 

Question: You are doing code review and come across a javascript
application that does not do input validation. Would you have the
developer go back and write in input validation? If so, why? If not,
why?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: