Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Script Based Attacks & Form Hacks

from [Sean Utt] Network Security [Permanent Link]
Subject: Re: Script Based Attacks & Form Hacks
Date: Thu, 21 Jul 2005 22:35:07 -0700 
Hello,

It is not unprofessional or insecure to use JavaScript to pre-check form data prior to submission, any more that it is unprofessional or insecure to tell the user what data needs to be entered into each field in the form.
It would be insecure to rely on the JavaScript and to not check the data on the server side as though the JavaScript didn't exist.
It would be inconsiderate to render the form unusable if JavaScript is disabled.
Client side checking of form data is for user convenience (can prevent a round trip to the web server), not security or data integrity.

Slightly to one side of this:
Tell the user what you expect them to enter in as data.
Use client side JavaScript to try to catch errors/omissions before sending the form data, perhaps even do some pre-formatting.
If there are errors/omissions, tell the user again what data is expected.
When the form is submitted, check the data again, and if there are errors/omissions, tell the user once again what data is expected.

Don't trust any data -- always check it, not matter where it came from. Don't assume that the data came from a program you created, so therefore it must be clean. Don't assume that the data came from another module of the program, so therefore it must be clean. It is the "responsibility" of every function, subroutine, module, program, script, etc. to validate the data it uses. Better to be redundant. If your program puts data in a database, immediately retrieves the data from the database and blindly uses that data on the assumption that because you wrote it there just a second ago it must be safe, you are sitting on a time bomb. It might not go off, but why take the chance?

Sean

----- Original Message ----- From: "Paul Kurczaba" <seclists@securinews.com>
To: "Chad Maniccia" <wopazar@gmail.com>
Cc: <webappsec@securityfocus.com>
Sent: Thursday, July 21, 2005 7:06 PM
Subject: Re: Script Based Attacks & Form Hacks


To prevent automatic form submissions I use a custom written implementation of CAPTCHA (http://www.captcha.net/). This prevents robots from automatically setting up accounts. Many web developers do use client side JavaScript for controlling form submission data (ex. making sure all text boxes are filled, verifying email address structure, etc.) This is unprofessional and (could be) insecure. The form verification should be done on the server side.

[snip]


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Application for stress testing webservers., McKinley, Jackson
Next by Date:  Re: Script Based Attacks & Form Hacks, Vicente Aguilera
Previous by Thread:  Re: Script Based Attacks & Form Hacks, Paul Kurczaba
Next by Thread:  Re: Script Based Attacks & Form Hacks, Vicente Aguilera
Indexes:  [Date] [Thread] [Top] [All Lists]