[Security Testing] Client Side Validation Is Not Substitute For Server Side Validation

The javascript validation is used by many developers for the the client side validation of the data fields and other checks. Does this mean that there is no need for the data validation on the server side, the answer is NO. Client side data validation is used for speeding up the things so that number of requests made to the server are reduced. Think of a simple banking application where I can transfer the money from one account to another. This application has the check on the client side for the amount to be transfered should be non-negative and greater than zero, and on the server side there is just one check whether the amount to be transferred is less than the current balance amount or not. So the server side code will be like:

if(amount_to_transfer > current_balance)
return ERROR_CODE
else
My_Account.balance=My_Account.balance-amount_to_transfer;
Other_Account.balance=Other_Account.balance + amount_to_transfer;

So if user enters the amount to be transfered to his friends's (or may be his enemy's :)) account is negative then client side validation fails and gives an error, but think of case wherein the user disables the client side validation by say commenting out the javascript code. Now user will enter the amount as -1000, which goes to the server and from the code as you can see you will be richer by 1000 $ and your friend (or enemy) will be poorer by same amount. I have seen one shopping site which has this kind of thing where there is no server side validation on the number of items, so if user gives -5 items, assuming cost of each item is 100$ the total amount payable is -500 $. SO the client side validation is just for increasing the speed and is not substitute for server side validation.

No comments:

Post a Comment