OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
RE: To validate or not to validate: Client side validation

From: Paul Melson (pmelsongmail.com)
Date: Tue Apr 20 2010 - 15:14:19 CDT


> Question: You are doing code review and come across a javascript
> application that does not do input validation. Would you have the
> developer go back and write in input validation? If so, why? If not,
> why?

Where does the app run? If it's client-side, and there's no user-interface
gains, I would leave it alone and settle for validating that any server-side
component of the app is handling input validation. The reason being the
obvious - that client-side input validation is trivially circumvented, so
it's not worth my time or the developer's.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------