Penetration Testing mailing list archives
Re: To validate or not to validate: Client side validation
From: Joe Peters <joepete () joepete com>
Date: Tue, 27 Apr 2010 13:43:46 -0400
On Thu, 2010-04-22 at 19:24 -0400, Dotzero wrote:
Doing client input validation is not irrelevant to security. If I believe that I am implementing it correctly on the client then when I see something that violates that input validation I can reasonably assume that it is hostile and not accidental.
While I like where you are going with this, there is such a wide variety of browsers out there, that you cannot assume that the circumvention of javascript is meant as hostile. Quite the contrary, one of the safest things to do with a browser is turn off scripting. Especially when you get into text-based browsers and assistive devices for folks who might be blind etc., disabling scripting is almost requisite to effective use of the Web. Given that there is no javascript standard, and if one were to look at the W3C recommendations, arguably the "hostility" is not the absence of javascript in an application but the presence of it. However, as I said, I like where you are going with this notion of identifying the hostiles. The sooner you can identify a submission as being attack, the sooner you can kill it. For example, on the server side, if you see variables being submitted that are not part of the original app - that is certain hostility. Another tool would be putting the entire app under HTTPS to capture more guaranteed data about the client (IP address, referrer, etc.). This can help you identify cases where someone is just trying to fuzz the app before you even get into processing the variable values to see if they are valid. -- JoePete ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: To validate or not to validate: Client side validation, (continued)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
- Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
- Re: To validate or not to validate: Client side validation Dotzero (Apr 26)