Penetration Testing mailing list archives

Re: To validate or not to validate: Client side validation

From: Joe Peters <joepete () joepete com>
Date: Tue, 27 Apr 2010 13:43:46 -0400

On Thu, 2010-04-22 at 19:24 -0400, Dotzero wrote:

Doing client input validation is not irrelevant to security. If I
believe that I am implementing it correctly on the client then when I
see something that violates that input validation I can reasonably
assume that it is hostile and not accidental.

While I like where you are going with this, there is such a wide variety
of browsers out there, that you cannot assume that the circumvention of
javascript is meant as hostile. Quite the contrary, one of the safest
things to do with a browser is turn off scripting. Especially when you
get into text-based browsers and assistive devices for folks who might
be blind etc., disabling scripting is almost requisite to effective use
of the Web.

Given that there is no javascript standard, and if one were to look at
the W3C recommendations, arguably the "hostility" is not the absence of
javascript in an application but the presence of it.

However, as I said, I like where you are going with this notion of
identifying the hostiles. The sooner you can identify a submission as
being attack, the sooner you can kill it. For example, on the server
side, if you see variables being submitted that are not part of the
original app - that is certain hostility. Another tool would be putting
the entire app under HTTPS to capture more guaranteed data about the
client (IP address, referrer, etc.). This can help you identify cases
where someone is just trying to fuzz the app before you even get into
processing the variable values to see if they are valid.

--
JoePete

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Re: To validate or not to validate: Client side validation, (continued)
- Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 22)
- Re: To validate or not to validate: Client side validation Todd Haverkos (Apr 22)
- Re: To validate or not to validate: Client side validation Joe Peters (Apr 26)
  - Re: To validate or not to validate: Client side validation ㅤ ㅤRockey (Apr 27)
- Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 26)
- Re: To validate or not to validate: Client side validation Robinson Delaugerre (Apr 22)
  - Re: To validate or not to validate: Client side validation Dotzero (Apr 26)
    - Re: To validate or not to validate: Client side validation Alexander Klimov (Apr 27)
    - Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
    - Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
    - Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)