Wednesday 22 July 2009

Issue #7 Client Side Validation

Now how many people do you know turn off JavaScript in their browser as a security measure. Not a lot I would bet. This is because JavaScript is becoming more and more the backbone of the web user experience.

It also forms most of our client side validation because it works in all browsers. So simply by turning it off you can circumvent what most people use as their only line of defense.

Another possibility is that you check for this information but someone changes the function to return a positive result all the time regardless of inputs. This can be done usually quite easily with modern in browser developer tools.

So to prevent these types of mistakes you shouldn’t rely on your client side validation as your only method of validating input before it hits your data repository.

You should always use a central validation source so that all strings for example are validated in the same manner, all integers etc. This way, you can manage changes to your code base more effectively and also you will follow the DRY principle.

There is an example on Daily WTF of this issue being exploited very easily and saving the submitter of the article a couple of dollars in the process.

You should only use whitelists rather than blacklists. Whitelists define what you will expect whereas blacklists define all that you don’t expect which you may or may not know. So which is easier to implement when you see it written like that?

You need to make sure that you escape any special characters. Most Irish based developers are familiar with escaping the apostrophe due to it being used quite frequently in many Irish surnames. But if you expect additional script types you should be expecting them and code accordingly.

Try and validate your inputs according to the RFC rules for that input and finally when you are using XML validate it against the schema. The Validation class in the System.Xml namespace is very useful in this regard and should be in your standard toolkit of code snippets when you are dealing with XML.

Additional previous posts (10, 9, 8)

No comments: