0

A lot has been written about not relying on client validation only; it's just a convenience for the user and reduces server processing. THIS IS NOT WHAT THIS QUESTION IS ABOUT.

I don't know if this is specific to ASP.NET MVC or all JQuery validation, but this is where my question comes from. When you use the ReqularExpressionAttribute with clientsidevalidation enabled, the HTML outputs with something like: data-val-regex-pattern="^[0-9a-zA-Z]{3,12}$" just to throw a basic example.

Isn't this rather insecure, giving away explicitly what your expression is checking for and isn't checking for? It seems like it's much easier to exploit holes in a validation scheme when a user can easily read exactly what it is. And it's the same expression that the server uses, so they can see what the server checks for too.

UPDATE

My example expression isn't very good for describing the problem. It's about more complex data values that have very strict formats and you unintentionally overlook some loopholes

Improve this question
1
  • It depends what the consequences are for exploiting the pattern. If that's the only validation placed on the field and anything passing validation can cause catastrophic side effects then I'd add some extra validation too. Commented Apr 16, 2012 at 8:39

3 Answers 3

Reset to default
1

What you are describing is security through obscurity. That is, the idea that something is secure if the attacker doesn't know how to exploit it.

That's not security, and if there is a vulnerability, it's not secure. There is a saying, "Security through obscurity is no security at all".

Does it make it more prone to exploitation? Maybe, but honestly.. the solution is to fix your code.

Let's put this another way, the attacker could accidentally stumble across your vulnerability as well. You're still vulnerable, and its still just as insecure.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Absolutely correct, there is still a vulnerability. But I don't think it makes my question less valid that it is more prone to exploitation. I think there's something to "security through obscurity." There's a human element. Humans are led to things for reasons. I try not to give them. You can say so easily "fix your code" but how do you know if your code needs fixing? If I knew, I'd fix it. It's like they say about unit testing. All your tests pass, but does that mean your code is perfect? No, it means your tests are perfect. And you can't test for things that are beyond your conception.
@quitstalin - More prone to exploitation != less secure, that's the part you seem to have missed. As an example, 15 years ago, buffer overruns were considered too complex to exploit. Fast forward a few years and the knowledge to exploit them became common, thus it was the most common kind of exploit. Nothing changed in the code between that time, only knowledge. The code is just as secure (or insecure) today as it was then. That is, it was always insecure regardless of how easy it was to exploit
I didn't say they were the same thing. I suggested more prone to exploitation is just as important. I'll give you an example. Years ago I was working for a small company. A 'friend' of mine asked me where I worked. I told him, he had never heard of it before. A while later I found that he had gone to our site and tried to mess around with our system. If I had not told him where I worked, would he have targeted that company; a company he never heard of? I would bet not. That's what I mean, there's a human element. When he sat down to his misdeeds, that idea popped into his head for a reason.
An example more to the point: would you rather have a vault of money (with a small hole in the side, unbeknownst to the guards) hidden away inside a bank or out in the open with blueprints showing that hole posted on a public bulletin board?
@quitstalin - but he might have just randomly found your site and decided to mess with it as well. Your argument really makes no sense, since telling him where you worked did not reveal any kind of vulnerability. Whatever, you seem to have made up your mind about something and no amount of discussion can change it, so what was the point of your question? Oh, to be argumentative.
|
0

It could be a security hole depending on what you are validating. But most of the time in an N-tier application your front-end models are different from your back-end models. And your back-end will still validate it and throw the appropriate exception.

Some info about unobstrusive validation:

jQuery unobstrusive validation makes use of the data- attribute.

If you don't want unobstrusive validation, you can just disable it in the web.config

Try going to web.config and finding this:

<appSettings>
   <add key="ClientValidationEnabled" value="true" />
   <add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>

And set UnobtrusiveJavaScriptEnabled to false. There may be more keys with it though.

Improve this answer

2 Comments

That was partly my point. I validate at the client level of the website. I validate again at the data service level of the back-end. But if you have a property that uses an expression to validate, it's going to use that expression on the client (which is visible to the user) and it's going to use it again at the back-end. So if they figure out a loophole in your expression (viewing it), it's going to check it twice, but it's going to pass both times. You know what I mean?
Another option would be not to add the regex to the model and validate the specific properties in the controller on HttpPost. And add ModelState errors from the controller.
0

A year after asking this question, I would say to my previous self, I think the answer is that the purpose of the validation is to validate the type of data entered, not validating requests. Therefore, this is not an issue to worry about.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.