It is important to perform as much validation and information handling on server side as possible, or else the information you are being passed, or the interface it is being displayed on could be easily manipulated by an attacker.
A good example of this would be a form, such as the one shown below which has a button that appears and enables when both the name and author field have been populated by the user to ensure that no empty fields are submitted to the database.
Opening up the console (in Chrome for example) the end user has the option to edit the HTML which is currently being displayed to them. The user can take advantage of this and easily edit out certain error checking among other things to modify the functionality of your web application
Original HTML
After HTML has Been Edited
As shown below this is the form mentioned before, with the HTML edited to display the Add Comment button prior to fields being populated.
And upon submission you can see (below) that a comment with nothing has been added without any content in either field.
For some web applications, this may not necessarily be a major flaw due to the un-strict functionality, however it is easy to identify that it could be a major vulnerability in your web application specifically to spammers or attackers depending on the nature of the functionality of your web app.
No comments:
Post a Comment