[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HACKING WITH JAVASCRIPT

To: hictor ertd <hict0r@xxxxxxxxxxx>
Subject: Re: HACKING WITH JAVASCRIPT
From: Jim Halfpenny <jim@xxxxxxxxxxxxxxxxx>
Date: Fri, 11 Feb 2005 12:56:26 +0000 (GMT)

On Wed, 9 Feb 2005, hictor ertd wrote:

> 1. Bypassing Required Fields
>
>       Surely you have met a webpage that requires you to fill all fields in a
> form in order to submit it. It is possible to bypass these types 
> of...<--SNIP-->

Why subvert the form at all? If a HTML form contains JavaScript to check
the fields entered, it is trivial to craft your own form or HTTP request
to send arbitrary data to the server. Trying to get around JavaScript
checks to accomplish this just serves to make the task more difficult.

JavaScript really ought only to be used in this fashion to sanity check
form content and not as a security device. This paper does raise the
issue of the fundamental flaw in the trust some people put into
client-side validation.

Jim Halfpenny

References:
- HACKING WITH JAVASCRIPT
  - From: hictor ertd

Prev by Date: Re: HACKING WITH JAVASCRIPT
Next by Date: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Previous by thread: Re: HACKING WITH JAVASCRIPT
Next by thread: Symantec UPX Parsing Engine Heap Overflow
Index(es):
- Date
- Thread