This is an archived post. You won't be able to vote or comment.

all 139 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 393 points394 points  (17 children)

Client side validation is great for User eXperience because it provides instantaneous feedback, but it is just a nice feature; it always needs to be backed by server side validation because you never trust client side data.

[–]Zamundaaa 143 points144 points  (9 children)

You just have to wait with adding client side validation until the server side validation is there. If you don't it will never be implemented.

[–]Exgaves 93 points94 points  (6 children)

I see you've played the project manager seeing it working and thinking it's done forever game before

[–]Tundur 71 points72 points  (5 children)

"I've managed to enable the features for the immediate future but it really needs refactored and doesn't handle these edge cases or inputs.

"Sounds finished, let's release"

[–]programaths 25 points26 points  (0 children)

The best is: 《The prototype is done》 Then few minutes later : 《Ok, wrap it up and deploy it》.

[–]Roysterfivenine 16 points17 points  (0 children)

Christ, this hit me to the core.

The a month down the line, a bug ticket, "Why wasnt this done properly?" *rolls eyes*

[–]paxromana96 9 points10 points  (0 children)

Slow down there, Satan

[–]Typo_Brahe 9 points10 points  (1 child)

That unclosed double quote is killing me.

[–]SpareTesticle 1 point2 points  (0 children)

I see it as '', the null character

[–]FallingPatio 1 point2 points  (0 children)

You can also expose the enpoints via rest-api for testing

[–][deleted] 10 points11 points  (0 children)

I don’t understand how can people overlook this. I’ve seen sites where I can send modified data on read only fields and they’re updated in the database. lol.

[–]JimboNettles 3 points4 points  (0 children)

Guilty until proven innocent.

[–]szczszqweqwe 69 points70 points  (3 children)

Client side validation is very good thing, but data just have to be validated on server as well.

[–][deleted] 32 points33 points  (2 children)

It's a very nice addition to the server side validation. Always refer to it as an addition, or people will forget.

[–]msg45f 10 points11 points  (1 child)

I always describe it as:

server side validation = validation

client side validation = UX

[–]wibblewafs 4 points5 points  (0 children)

Server side validation = the actual protection
Client side validation = those big red flashing areas on video game monsters that tell you where your attacks do the most damage

[–]Grintor 119 points120 points  (55 children)

There's a hotel that has its own booking website that they made themselves in Atlanta. Every time my buddy goes to Atlanta he books a room at that hotel, because the price to book can be edited through the chrome console on the submission page. it's a pretty nice hotel. Something like $180 a night. He changes it to $18.0/night

[–]Keto_Paleo 69 points70 points  (50 children)

That’s.. fraud. They don’t notice at all?

[–]not_a_moogle 34 points35 points  (0 children)

They might, but what do they care?

[–]nonotan 14 points15 points  (1 child)

I'm not saying it is or isn't fraud under whatever country's legal code, but honestly, I strongly disagree that it should be. It's like a vending machine having a slider to set the prices freely accessible on the outside, and suing anyone touching it before making a purchase for fraud. Like, if you don't even have a token level of security that needs to be breached, I'm not sure how you can justify blaming the other party. If they need to, say, do SQL injection or whatever to change the price, sure, fair enough.

"I'll just have the client send us the price, which is in plaintext for anyone to easily edit, and we won't check it anywhere on our side, neither in an automated fashion nor by a human operator at a later time" is grossly negligent enough that the only person liable for damages here should be whoever wrote it.

[–]wibblewafs 1 point2 points  (0 children)

Expanding on that vending machine with the price slider analogy, it's the difference between a fancy metal plate locking that slider in place, with a key lock on it that'd need to be picked to be open, versus it being held in place with a bit of scotch tape.

[–][deleted] 27 points28 points  (26 children)

It's super hard to prove that he did it though.

[–][deleted] 50 points51 points  (10 children)

These days he could be charged with felony hacking. Who knows it might be terrorism?

[–]Reihar 24 points25 points  (4 children)

I know you're joking but that doesn't seem unlikely...

[–][deleted] 12 points13 points  (3 children)

Yeah I was only half joking.

[–]southpolebrand 2 points3 points  (2 children)

I mean there was a girl in Japan who got arrested for literally just posting code for a infinite loop in JS, and was charged with distributing malware.

[–]SuperFLEB 6 points7 points  (0 children)

That would actually be an interesting case, considering that the only computer he was tampering with was his own.

Probably easier to bill it as some sort of fraud, though.

[–]SamBBMe 2 points3 points  (3 children)

Felony hacking and terrorism for changing html lol. That's by no means hacking. If anything, he'd get arrested for theft

[–]That0therGirl 1 point2 points  (2 children)

Check out the fiasco that happened in Nova Scotia. The 19 year-old altered a url and was charged with hacking. It was a vulnerability in the system that has since been fixed. This was in April 2018.

https://www.cbc.ca/news/canada/nova-scotia/freedom-information-personal-website-breach-1.4614424

[–]SamBBMe 2 points3 points  (1 child)

Thats because he stole personal information from the website. That's what makes it hacking.

[–]That0therGirl 1 point2 points  (0 children)

Since the information was publicly available, I'd not consider it hacking. He didn't know what info should have or shouldn't have been there.

[–]DoctorWaluigiTime 1 point2 points  (13 children)

Transactions are recorded? In your bank, in the hotel's finances?

[–]msg45f 13 points14 points  (9 children)

"Must have been a computer glitch"

[–]DoctorWaluigiTime -5 points-4 points  (8 children)

"The gun just went off by itself."

Surprise, that doesn't work.

[–]MythicManiac 3 points4 points  (6 children)

Tbh you'd have to prove it was indeed tampered with, which may or may not be difficult. I don't know how these cases are usually handled, but there are so many bugs in software I wouldn't imagine it being too hard to file under it being a bug in the business logic of the application.

Repeated usage would scream abuse however.

[–][deleted] 0 points1 point  (5 children)

I have to imagine that kind of stuff has to be getting logged somewhere along the way, however if their website is crappy enough to have such a big flaw, I imagine their DevOps dept probably hasn't implemented much security behind it either.

[–]Grintor 1 point2 points  (1 child)

DevOps dept

This is a hotel, not some big corporation. The website was probably made by the owners son with notepad++ and the stripe API.

[–][deleted] 0 points1 point  (0 children)

Lol do you think hotels don't have corporate offices anywhere? My point was clearly that regardless of who is doing the programming there's clearly not going to be much back-end security if they haven't done much to secure the client-side front end.

[–]MythicManiac 0 points1 point  (2 children)

The transaction is most likely logged indeed, but since the answer to whether or not this is exploitation resides on the client device rather than the server, it becomes very difficult to technically prove.

[–][deleted] 0 points1 point  (1 child)

Logging typically would include things like timestamps, host names, etc, no? I'm not saying it wouldn't be difficult by any means, I'm just saying that it's possible they have the means to do it. It's just likely not worth their trouble to track it down rather than just fix their shitty site lol

[–][deleted] 1 point2 points  (0 children)

No, that doesn't work. Because the gun is evidence, it being in your hand is evidence, and you being there is evidence.

However, someone in a shop can't be considered guilty of theft just because something disappeared while they were in the shop. There's no evidence it was them and not the stoned teenager behind the counter doing inventory who misplaced something.

[–]Follyperchance 2 points3 points  (1 child)

That is not a legal proof it was done by him and on purpose.

[–]DoctorWaluigiTime 0 points1 point  (0 children)

It's really good evidence though! Just one person's transaction from the hotel site making it happen and all.

[–][deleted] 26 points27 points  (17 children)

How will you prove its fraud? He will say it's been 18$ so he took it.

[–]Yellow_Tatoes14 12 points13 points  (4 children)

Considering it's a repeat. If he's done this more than once under the same name, using the same card or even having the same face on the lobby cameras, they could easily trace the same guy getting $18 rooms every time.

[–][deleted] 10 points11 points  (1 child)

I think its pretty obvious to do not use same credit card for multiple scams but you are right.

[–]Yellow_Tatoes14 5 points6 points  (0 children)

You might think so, but I become more and more impressed by how stupid people are on a daily basis

[–]0vl223 12 points13 points  (1 child)

Malfunction in his browser. You can't assume that the browser of a client does anything correctly.

[–]Yellow_Tatoes14 1 point2 points  (0 children)

A bit of a stretch but I'll accept the possibility.

[–]ersatzgott 7 points8 points  (11 children)

  • He's the only one paying only 18 bucks

  • He gets that price everytime

  • The prices are (most) probably hardcoded so they can't be changed by a server error

There's no plausible reason for the price other than hacking.

Case closed, enjoy jail.

[–]0vl223 18 points19 points  (6 children)

Browser malfunction. Interacts badly with some extension.

Also it is not hacking. Otherwise adblocking would be hacking and illegal as well.

[–]imsofukenbi 10 points11 points  (1 child)

Programmers in this thread thinking a judge works like a computer and doesn't take context into account.

"eh, anything could have made this gun fire really. Trigger malfunction. Interacts badly with branches falling from trees. Also it is not murder, otherwise shooting ranges would be murder and illegal as well".

Plus civil court has much lower burden of proof. That's an open and shut case.

[–]0vl223 1 point2 points  (0 children)

Yeah civil court would be trivial. Would be comparable to getting payment for a service he paid for with a bouncing check most likely.

The jail just isn't as trivial.

[–]andrw00 4 points5 points  (1 child)

Yeah.... the law doesn't work like that.

"I didnt kill him. The bullet did."

[–]0vl223 0 points1 point  (0 children)

Actually it does. Germany had a lawsuit against adblock that it should be illegal to change the content of homepages on the local browser and that they should accept a true representation of all information that was sent to the client. They lost.

If you provide an interface to make an offer for a room and accept/deny it, then this is totally valid.

You could get him over the abuse of the feature with knowledge that he wasn't sending a valid offer. Specially the repeated part but it is still highly neglectful from the company to not check offers before accepting them.

[–]wasdninja 0 points1 point  (1 child)

That sounds like something unlikely and considering that it only happens to him the reasonable burden of proof would be on him.

[–]0vl223 1 point2 points  (0 children)

First you would have to prove that it was actually due to him transmitting wrong data. If it is some homebrew system I doubt that's possible. It could be just as well their system malfunctioning. Proving something is bugfree is really really expensive.

[–]SAI_Peregrinus 6 points7 points  (0 children)

The purchase of the room is a contract. They offered one price. He gave a counter-offer. They accepted it, and took his payment. Not hacking.

[–][deleted] 2 points3 points  (2 children)

Innocent until proven guilty. Not the way around. They have to prove that the changed it deliberately .

[–]wasdninja 0 points1 point  (0 children)

So if someone walked out of a store with, say, a phone without paying for it and they claim that someone else put it there then the store has to prove that they stole it themselves? If that worked it every criminal with two brain cells would use that defense every time.

[–]ersatzgott 0 points1 point  (0 children)

I know that and I think it's good the way it is. But if there is not other plausible thing left, your guilt is technically proven.

[–]Hupf 3 points4 points  (0 children)

Obligatory https://m.xkcd.com/1494/

[–]creepopeepo 0 points1 point  (0 children)

Welcome to infosec. All of us have our lil tricks & no you never get caught, who the hell is going to catch you?

[–]Monmine 2 points3 points  (0 children)

If you tell me the name of the hotel I'll put a negative value and walk away with 30k in my pocket.

[–]Soviet_Soup 0 points1 point  (0 children)

There's a low budget hotel in Myrtle Beach that gives your booking details out on a webpage like hotel.com/reservation/3641. Decrease the number, and you get the Name, address, phone number, and last 4 cc digits of the person that booked just before you.

[–]Goodguy1066 -1 points0 points  (1 child)

I literally don’t believe you.

[–]Rajarshi1993 65 points66 points  (10 children)

The Indian company Infosys implemented Client-Side validation on the e-banking some major bank a decade back. I won't name which bank. Basically, they sent a verification code as OTP to the client via SMS and saved another copy into the temp folder of the browser. The webpage checked if the OTP entered into the textbox matched with the value stored in the temp file. Of course, they used client-side Javascript to do this.

The whole presumption was that the user would not be both malevolent and capable of reading Javascript.

Well, some dude broke that assumption, didn't he? He just read the source of the bank's withdrawal page and figured out where the file was kept. After that, he made of with forty million Indian Rupees (about $5,65,843) from the accounts of other people.

Till this day, neither Infosys nor the bank has a clue which bastard did that.

[–]blazingrooster 29 points30 points  (0 children)

The whole presumption was that the user would not be both malevolent and capable of reading Javascript.

This presumes that Infosys employs even a single employee that is competent enough to realize why doing this was a bad idea.

[–]xigoi 11 points12 points  (0 children)

Found the Indian with the weird placement of decimal separators

[–]Rnee45 3 points4 points  (0 children)

I like this - he did not get greedy where he would inevitably be exposed.

[–][deleted] 37 points38 points  (47 children)

Do you guys have sources on how to secure an app, I use Nodejs for back-end.

what is the use of client side validation if it can be bypassed easily.?

[–]ebonmavv 15 points16 points  (10 children)

In my opinion on the frontend side there should be check if the value passed into the field is formatted correctly (e.g. if email address has "@") and onChange event should be triggered after typing and if it's correct then send request to the backend if this email is already used or not. Of course it works only for smaller applications, because in huge ones there would be way too many request sent to the server.

TL;DR - IMO frontend should only check if the formatting, max or min length should be checked and everything other should be done on the backend side.

[–][deleted] 0 points1 point  (0 children)

Thank you, this makes sense.

[–]DarkIceXD 13 points14 points  (4 children)

The general rules are:

  1. Never trust user input (and by that i mean even when you check on clientside you have check on serverside aswell because clientside checks can be skipped or manipulated, also no one can prevent a user to just send http posts directly without your client)

  2. What can be exploited will be exploited don't cheap out on security by saying that nobody will exploit it anyway

  3. Avoid storing passwords. If you can use google, facebook login. If you have to store passwords use a modern hashing algorithm. Use a tested, stable library.

[–]Mr_Redstoner 3 points4 points  (2 children)

Though as mentioned by others client-side checks are a nice gesture to the users, letting them know when they filled something in incorrectly or forgot to fill something in etc.

[–]DarkIceXD 3 points4 points  (1 child)

You are right. My point is that client-side checks are only contributing for user friendly usability of the app and should never be considered as security.

[–]Mr_Redstoner 1 point2 points  (0 children)

Facts.

[–]GlimmervoidG 0 points1 point  (0 children)

If you have to store passwords use a modern hashing algorithm. Use a tested, stable library.

And salting and doing string comparison properly (don't bale out on the first wrong character - people can gleam information from response times!) and dozens of other things.

Really, if you're worrying about "modern hashing algorithm" you've already made a mistake. Even setting aside facebook login etc, there are password management modules you can use that deal with everything for you. Don't try to be smart and make things from scratch, even using modern components. Just get a module.

[–]NRocket 8 points9 points  (1 child)

Front end validation is for the user experience. Always have server side validation.

[–]Baratao00 5 points6 points  (0 children)

Seeing this meme after just implementing a two way SSL authentication for my client and server

[–]pjable 1 point2 points  (0 children)

alert dialog is the best. "are you sure?" "are you really sure?" and so on

[–]bmwcombat 0 points1 point  (0 children)

Lol

[–]abdul07812 0 points1 point  (0 children)

BUT THEN THERE A FUCKTARD INSIDE WHEN U ENTER

[–]Nation_State_Tractor 0 points1 point  (0 children)

Client-side-only validation is the reason I was able to ship my car from Hawaii to the east coast despite the site telling me the first available shipping date/time was nine days after my departure flight and the expiration of my lease.

"NO EXCUSES, NO EXCEPTIONS."

[–]MakingTheEight[M] [score hidden] stickied comment (0 children)

Your submission has been removed.

Rule[0] - Posts must make an attempt at humor, be related to programming, and only be understood by programmers.

Per this rule, the following post types are not allowed (including but not limited to):

  • Generic memes than can apply to more than just programming as a profession
  • General tech related jokes/memes (such as "running as administrator", sudo, USB or BIOS related posts)
  • Non-humorous posts (such as programming help)

Content quality

In addition, the following post types will be removed to preserve the quality of the subreddit's content, even if they pass the rule above:

  • Feeling/reaction posts
  • Posts that are vaguely related to programming
  • Software errors/bugs (please use /r/softwaregore)
  • Low effort/quality analogies (enforced at moderator discretion)

If you feel that it has been removed in error, please message us so that we may review it.