Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] Exploiting an online store
From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Sep 15 2005 - 18:45:33 CDT
> There is no client side security. Period. Who wrote the shopping cart
> and allowed posting the price to it?? Wow ...
This is so true.
Something that _really_ annoys me, and displays the utter lack of clue
of the whole "web development team" behind sites with such pages, are
submit the form. The only "justification" for such idiocy is that the
client-side script can save (a little) bandwidth (by preventing
incomplete and/or bad data from being submitted and some form of error
indication being sent back from the server) and reduce server-side
overhead by removing the need to sanity-check the received data. Of
course, in the the real world, the server still has to sanity-check the
data as filling the web form and submitting it via the script is not
the only way that the code on the server that will process the
submitted data can be exercised. Failure to understand the latter has
been very common among "web developers" who commonly have a mind-set
entirely bounded by their perception of their design being used in an
ordinary web browser (and often specifically IE, but we needn't go
there at the moment...) and ignoring the reality of the situation which
is that it is all just bits represented in electron patterns.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/