The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

1 ... 222 223 224 225 226 227 228 229 ... 875

Bog'liq
3794 1008 4334

Validating Client-Generated Data

Data generated on the client and transmitted to the server cannot in principle

be validated securely on the client:

■■

Lightweight client-side controls like HTML form fields and JavaScript

can be very trivially circumvented, and provide zero assurance about

the input received by the server.

Chapter 5

■

Bypassing Client-Side Controls

129

70779c05.qxd:WileyRed 9/16/07 5:14 PM Page 129

■■

Controls implemented in thick-client components are sometimes more

difficult to circumvent, but this may merely slow down an attacker for a

short period.

■■

Using heavily obfuscated or packed client-side code provides addi-

tional obstacles; however, a determined attacker will always be able to

overcome these. (A point of comparison in other areas is the use of

DRM technologies to prevent users from copying digital media files.

Many companies have invested very heavily in these client-side con-

trols, and each new solution is usually broken within a short interval.)

The only secure way to validate client-generated data is on the server side of

the application. Every item of data received from the client should be regarded

as tainted and potentially malicious.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 222 223 224 225 226 227 228 229 ... 875