[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Client-side validation in 2007?

From: Kurt Grutzmacher <grutz@xxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Client-side validation in 2007?
Date: Fri, 12 Jan 2007 14:52:01 -0600

I didn't see my post get to the webappsec list like it did Full
Disclosure, but really I'd like to bring up a discussion item here --
how many people still find web applications using client-side 
validation being used for such things as prices, discount codes, 
privilege, etc?

I wasn't completely surprised at how easy it would be to defraud IDG
out of $1,695. MD5 hashes, keyspace, everything you'd need was given
because they wanted to validate their priority code before it was sent
to the server.

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
	"There's just no amusing way to say, 'I have a CISSP'."

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Client-side validation in 2007?
  - From: Jeremiah Grossman
- RE: [WEB SECURITY] Client-side validation in 2007?
  - From: Martin O'Neal

Prev by Date: [WEB SECURITY] Anti-DNS Pinning + Socket in FLASH
Next by Date: Re: [WEB SECURITY] Client-side validation in 2007?
Previous by thread: [WEB SECURITY] Anti-DNS Pinning + Socket in FLASH
Next by thread: Re: [WEB SECURITY] Client-side validation in 2007?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site