NEVER, NEVER trust the client

NEVER, NEVER trust the client 2008-7-1 20:30:36 By Alex   When writing web applications, you should never trust the client, especially when checking field length, email validity. Say, for example, you have a user registration page that is using Javascript to check user name nullity, email format, and whether the password has been confirmed. so you'll have something like this in your js code:if(username.length==0)//Pop up a warning and goes backif(!IsValidEmailAddress(email))//Pop up a warning and goes backand you try to limit the length of the user name to 16 using the text field's property: MAXLENGTH=16.These constraints seem to be working all fine with a well behaved user. But several simple steps using just text editor tools could help us to bypass all of them. Let's go crack this.

• Suppose the domain that we are cracking is www.somedude.com
• the sign up page is at http://www.somedude.com/signup.asp
• we browse to it. and save the page using our browser.
• and reopen the page saved using notebook, delete all the javascript, and the MAXLENGTH=16 property of the text box.
• make sure that the form's action points to the right url. If not, change it. For our example, let's suppose that the form is processed by the same page.
• reopen the saved local file in the browser, input a username of any length, email of any form and click submit.
• IF there's no validation on the server side to recheck the data that the client is posting, you'll get there.

Isn't it easy? This can be finished in several minutes just using the simplest text editors. If any dude happen to have a order amount drop down that does not recheck the data again, it's gonna cause huge trouble. Think about getting all "-100" orders. So NEVER trust your client!!!