Security Tip: Client side security cannot be enforced

The use of JavaScript is becoming increasingly popular with the availability of incredible JavaScript libraries. These libraries make creating Ajaxified web application easy, and fun! We can use them to create interactive and beautiful applications that rarely, if ever, require the page to refresh.

A lot of the JavaScript libraries also have helpful tools and plugins to implement form validation. These tools are great, and I don't want to discourage their use, but I do want to point out that these tools ARE NOT for security and should not be used to prevent malicious data from getting to your application.

There are several ways to bypass client-side validation of any kind and the methods are all quite easy.

First, by "validation" I am referring to the actions that you take to ensure that the data that is being sent to the application conforms with what you are expecting. If you want to make sure that the "firstName" contains only letters, spaces and apostrophes and can only be 20 characters long, you would use validation.

This can all be done easily with HTML and JavaScript. We can use the maxLength field in the HTML input tag to control the number of characters, and we can use JavaScript and regular expressions to check for the rest.

But both of these methods of validation, and any other client-side validation, can be bypassed. Here are a few options for bypassing client-side validation:

  • Disabling JavaScript in the browser - Very easy to do and will stop all JS based controls
  • Using a browser tool, like Firebug, to change the HTML to remove the maxLength property
  • Creating a completely separate page with NO validation - this can be done from anywhere, even on the hacker's desktop, then post it to the server. Here is an example
  • Using a proxy tool like WebScarab or Tamper Data - This will allow the hacker, to intercept any submitted data and manipulate it before sending it on to the server

Vulnerabilities in client-side validation are not exclusive to Web Applications. They can also exist in Adobe AIR applications and any other desktop application that makes calls to a remote server.

The moral of this story is that client-side validation is NEVER sufficient for securing your applications. All data must be validated at the server. This includes validation for data type and length. Client-side validation can, and should be, be used to enhance the user experience only.

Additional Resources

2009 CWE/SANS Top 25 Most Dangerous Programming Errors - CWE-602: Client-Side Enforcement of Server-Side Security

OWASP - Vulnerability: Validation performed in client

Comments
Ben Nadel's Gravatar Word up!
# Posted By Ben Nadel | 6/8/09 11:53 AM
Bob Silverberg's Gravatar This is precisely the reason that I always perform all of my validations both on the client and on the server, and why I developed a solution to do both automatically.
# Posted By Bob Silverberg | 6/11/09 12:02 PM
Jason Dean's Gravatar @Bob, exactly! You know, you should consider plugging your solution in a comment here :)
# Posted By Jason Dean | 6/11/09 12:07 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner