lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0502111247410.388@openanswers.co.uk>
Date: Fri, 11 Feb 2005 12:56:26 +0000 (GMT)
From: Jim Halfpenny <jim@...nanswers.co.uk>
To: hictor ertd <hict0r@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: HACKING WITH JAVASCRIPT


On Wed, 9 Feb 2005, hictor ertd wrote:

> 1. Bypassing Required Fields
>
> 	Surely you have met a webpage that requires you to fill all fields in a
> form in order to submit it. It is possible to bypass these types of...<--SNIP-->

Why subvert the form at all? If a HTML form contains JavaScript to check
the fields entered, it is trivial to craft your own form or HTTP request
to send arbitrary data to the server. Trying to get around JavaScript
checks to accomplish this just serves to make the task more difficult.

JavaScript really ought only to be used in this fashion to sanity check
form content and not as a security device. This paper does raise the
issue of the fundamental flaw in the trust some people put into
client-side validation.

Jim Halfpenny


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ