Client side security

Posted by Jonas Elfström Mon, 30 Apr 2007 10:54:00 GMT

Recently a friend of mine got problems while trying to book a hotel room online. The JavaScript-driven calendar was IE-only and he is on Mac OS X. My friend then checked the source and saw that the JavaScript actually just set a value to an hidden input field. He fired up Firebug and edited the field manually and then submitted the form. When he got the confirmation of the booking he saw that he accidently had typed 2006 instead of 2007. The only protection against booking at dates in the past, already fully booked or in the year 2100 were the JavaScript that ran the calendar.

When building a web application you can never ever trust that any of the data from the client will be untampered with.

Some problems I've seen in the past:

  • Relying on JavaScript-validation. JavaScript can be turned off or ran through a debugger.

  • Having sensitive data in hidden input fields.

  • Storing sensitive data in cookies.

    • This is not a very common problem since almost all web application frameworks handles this for you by only storing a session id in the cookie and the actual data on the server.

Posted in Security | no comments | no trackbacks

Comments

Trackbacks

Use the following link to trackback from your own site:
http://alicebobandmallory.com/articles/trackback/30

Comments are closed