0

I am testing a simple registration form (username, password, email... etc), where input validation is done on the client side every time the user writes/deletes a character (not allowing some characters, checking length... etc).

I have recently saw something about doing the email validation on the server side not only the client side because it is insecure since javascript can easily be deactivated on the client side.

Is that really a threat when using javascript only for validating the inputs before sending them with a submit ? or am I worrying for nothing ?

Tech Tech
  • 354
  • 1
  • 4
  • 17
  • I personally do validation testing at both client and server side – Satpal Oct 04 '13 at 19:30
  • JavaScript only solutions can always be messed with, it runs on the client's machine so they have the final word about how it runs. Just make sure to also validate server-side, because that's something you own. Client-side validation is basically a gimmick, so users get more instantaneous feedback. – Jasper Oct 04 '13 at 19:30
  • This question belongs on [security.se]. – zzzzBov Oct 04 '13 at 19:32
  • This topic is already well-covered, you should bee able to research and find answers easily, try a google search for 'client side vs server side validation' – Rick Suggs Oct 04 '13 at 19:33
  • So, I should keep the JS validation (because it gives a very fluid and beautiful way of validation to the client), and add another php scripts in the background to do a second validation (server validation) ? – Tech Tech Oct 04 '13 at 19:34
  • @TechSupport: Yes; emphatically. – SLaks Oct 04 '13 at 19:35
  • 3
    js validation is for the user's sake, server validation is for your sake. – dandavis Oct 04 '13 at 19:36

2 Answers2

6

Attackers can send any HTTP request they want, without running any Javascript code.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 2
    In stronger language - ABSOLUTELY NOT. – Chad Killingsworth Oct 04 '13 at 19:31
  • @ChadKillingsworth, can you please explain ? – Tech Tech Oct 04 '13 at 19:37
  • Download [this](http://sourceforge.net/projects/paros/), you'll find that you can intercept any form post or get and do whatever you want to any field in it, regardless of any validation that Javascript did beforehand. – John Wu Oct 05 '13 at 00:27
  • 2
    @TechSupport The extremely short version is that JavaScript validation is only for user convenience. Validation on the server side is for security. It's extremely trivial to disable javascript validation checks. Or as the answer states, an attacker can simply submit arbitrary data to your server. – Chad Killingsworth Oct 05 '13 at 03:01
2

Yes, it's a threat. Yes, you need to worry about it.

Mark
  • 1,376
  • 9
  • 16