Re: Is Javascript Secure?



"dredge" <kcox@xxxxxxxxxx> writes:

Hi Everyone,

I have been asked to build a PHP application that calculates important
financial information based on some user-inputted numbers and that will
not allow the user to continue forward unless a certain percentage
range has been met. To validate the numbers, I am considering using
Javascript as opposed to having the PHP code validate the numbers
because Javascript is faster (it is almost instantaneous because the
validation code is running on the client side and does not have to wait
for a refresh, as would be required for the server-side PHP
validation).

That would be a huge (albeit common) mistake.

My question is: is Javascript secure? My concern here is that because
the Javascript validation would run on the client's computer, they
could potentially hack it to allow unacceptable financial numbers to be
submitted. Am I just being too paranoid here?

No, you are paranoid with good cause!

By using a software web proxy (such as paros or spike) or firefox
plugins like tamperdata it is trivially simple to modify form fields
as they submitted to the server, bypassing all javascript client-side
validation.

Nothing will get you around the inconvenient necessity of having to
scrub all form field data on the server side and treat it as
malicious. Before you develop this application, I strongly recommend
you read the OWASP guide to open web application security:
http://www.owasp.org/index.php/OWASP_Guide_Project

Specifically to the issue you're discussing is data validation, which
is #1 on OWASP's top ten security threats to web apps:
http://www.owasp.org/index.php/Unvalidated_Input


Quoting that, "A surprising number of web applications use only
client-side mechanisms to validate input. Client side validation
mechanisms are easily bypassed, leaving the web application without
any protection against malicious parameters."


Best Regards,
--
Todd H.
http://www.toddh.net/
.



Relevant Pages

  • Re: Simple Regular Expression need
    ... DateTime.Parseis not available on the client. ... > you use JavaScript in at least some of your applications. ... > validation routines (client and server) rather than letting the validation ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: query string passing woes........ help... please....
    ... |> | offer any help other than saying that my validation could be FAR more ... I'm a total newbie at php. ... The easiest way for you would be to make the html form called form.php ... $_SESSION array using the same names. ...
    (alt.php)
  • RE: [PHP] Re: question regarding form filtering
    ... And, actually, the PHP check might be more involved than the JS check. ... the validation in JS may not always be exactly the same ... contextual help via javascript info popups. ... Ok so my reason being for using regexp is that by defining a regexp my ...
    (php.general)
  • Re: Form Field Set Focus?
    ... the php script has to trap it and return a javascript error ... which is quite easy in Javascript (something along the ... You can use PHP to write out the javascript to set the field, ... The same goes for your javascript validation script, ...
    (comp.lang.php)
  • Re: Do you validate your forms with javascript or php?
    ... Javascript + PHP, or PHP alone. ... With Javascript you avoid involving the server, ... If you want to code validation only once, ...
    (comp.lang.php)