| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Sep 16 00:45:47 2005 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Exploiting an online store fd@...nsci.us wrote: > There is no client side security. Period. Who wrote the shopping cart > and allowed posting the price to it?? Wow ... This is so true. Something that _really_ annoys me, and displays the utter lack of clue of the whole "web development team" behind sites with such pages, are HTML forms that require JavaScript enabled in your browser just to submit the form. The only "justification" for such idiocy is that the client-side script can save (a little) bandwidth (by preventing incomplete and/or bad data from being submitted and some form of error indication being sent back from the server) and reduce server-side overhead by removing the need to sanity-check the received data. Of course, in the the real world, the server still has to sanity-check the data as filling the web form and submitting it via the script is not the only way that the code on the server that will process the submitted data can be exercised. Failure to understand the latter has been very common among "web developers" who commonly have a mind-set entirely bounded by their perception of their design being used in an ordinary web browser (and often specifically IE, but we needn't go there at the moment...) and ignoring the reality of the situation which is that it is all just bits represented in electron patterns. Regards, Nick FitzGerald
Powered by blists - more mailing lists