1

It is generally considered bad practice to accept input that is derived from JavaScript because of the principle that you should not trust anything from the client.

But wouldn't this also mean that you can't trust drop box selections, etc. without verifying it on there server? You can easily add your own selection options in Firebug.

So, if I violate this best practice (since I'm not accepting credit card payments or anything as security critical as that), are there any techniques for minimizing risk of problems? For example are there ways to make it more difficult for the end user to modify the JavaScript created values? And while we're at it, is there any way to increase the difficulty of modifying drop boxes, etc.?

Improve this question
4
  • All the data that doesn't comes from the server it's client data Commented Nov 1, 2011 at 14:07
  • I think that you always have to verify data on server-side no matter how you receive it. So user can send anything he wants to your app, then you block it. Commented Nov 1, 2011 at 14:12
  • An attacker is just going to modify the http request with tamperdata or burp, modifying the forum its self is too much of a hassle. Commented Nov 1, 2011 at 18:28
  • Rook, I am not receiving answers to my question, so maybe there isn't one. But what I had in mind was some sort of Javascript plugin that would create a lot of convoluted code and submit some sort of hash so that checking the data would be simpler and I can have something to check that would not be a function of the specifics of the form. Commented Nov 1, 2011 at 19:06

3 Answers 3

Reset to default
3

The general rule is to simply not trust anything from the client...

That includes ALL form input, derived from javascript or otherwise.

Always validate and sanitize incoming data on the server-side, or you might as well not have any form of validation at all.

Generally client-side validation is normally a convenience feature for the users and has nothing to do with data security.

Remember, Javascript is not required to work with forms... how do you think spam bots work? They surely don't have javascript enabled...

Any solution you come up with to provide any more than a false sense of security will involve server-side validation of the input.

You don't even need a browser to submit a form.. ever played with cURL? you can easily and quickly submit any raw POST data you want directly from the command line.

The question is not whether it's sensitive information like Credit Cards... It's as much about loosing data. are you ok with loosing data? if so, why are you collecting it in the first place?

Causing destruction is a primary motivator for hackers above personal gain, if they see an easy target, and can destroy someones data with one command, they'll probably give it a shot.

Improve this answer
Sign up to request clarification or add additional context in comments.

15 Comments

@Michael WHoa!?! you deleted an answer because you found an earlier answer to be sufficient? is this Bizzaro world StackOverflow???
I understand your point. However, I would say that client-side validation is weak security, rather than non-security. So, when strong security is called for, you must redundantly make all security on the server side. However, I also believe there are circumstances where weak security is sufficient. If my premise is accepted, then that opens the question, "Are there convenient ways to make weak security a little stronger?"
@Joe well, I don't accept your premise. Client side validation is akin to "locking" your front door with scotch tape and calling it "weak security". No one is saying you have to build fort knox, but the spectrum of weak to strong begins at the server side.
@jondavidjohn It's a pretty common and valuable practice meta.stackexchange.com/questions/15775/… I'm here to help -- I don't need the rep.
@Michael I know and agree, sorry my sarcasm didn't translate, I was being facetious. In my experience it is not common, especially revolving around the javascript tag...
|
1

You wont be-able to stop the client form tampering with your form data.

You could add a hash taken from all the known values you provide and store store them in a hidden field. or an encrypt the values kind of like a paypal button dose.

Still both of these methods will require server side validation.

Improve this answer

1 Comment

But if the hash could be constructed to always provide answers that adhere to certain validation rules, it would be useful because new validation would not be required in all cases.
0

Forget where the data came from. Your code on the server can have no idea where the data came from, other than it came from the outside world, so you need to assume it's malicious until proven otherwise.

So the "technique for minimizing risk" if you "violate this best practice" is basically: don't violate this best practice: do validate incoming data.

Re your second point about making it harder to modify HTML forms or JS values: remember that the browser is a program running on someone else's computer, and eventually they will be able to make it do anything they want, including sending HTTP requests directly.

The only place you can actually enforce security is on the server.

Edit: I took so long to submit this that someone else answered it more succinctly in the mean time.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.