Link Search Menu Expand Document

Client-side Validation

  1. Client-side Validation
    1. Description
    2. Impact
    3. Prevention
    4. Testing

Description

Performing input validation to test the correctness and benignness of user input is a crucial function to maintain user experience and the security of web applications, with said validation taking place at the client-side and the server-side respectively.

Unfortunately, if developers cut corners, or are simply unaware, they may end up deploying insufficient validation by only performing checks for security purposes on the client-side and not the server-side as well. What this amounts to is merely shoddy programming, as it places complete trust in the security of the browser… and browsers can’t be trusted! Case in point, if users can alter the data and code flow of client-size pages and scripts as they like, then ‘how they like’ could well translate to ‘maliciously’.

Impact

A lack of adequate server-side checks impacts the security of the web application in a variety of ways. Examples range from mere cosmetic alterations eliciting free articles to far more severe authentication bypasses, resulting in hundreds of millions of dollars worth of losses - $170 million, in this case, to be exact.

Prevention

Generally speaking, authoritative validation checks on the server-side must be enforced for all input; client-side checks have no place in security.

Javascript code can actually be used to enforce authoritative checks, but solely for the purpose of notifying the user without having to contact the server during a preliminary phase, e.g., form validation.

Testing

Verify that input validation is enforced on a trusted service layer.