Re: [WEB SECURITY] Risk in Validating new password at client side

[Pranay Kanwar <warl0ck@xxxxxxxxxxx>]

What i have observed, the client side validation is usually for
the client's (the users) usability, for example checking a valid email
etc. All the validations should be done again at the server end to
mitigate any risks.

In your case i don't see any problems as such, only problem being checking
the password for input validation errors such as SQL injections. Also
the other problem might be that the user has java script turned off.

regards

warl0ck // MSG


Appsec Punter wrote:
> Hi List,
> What could be the risk/problem if application validates the new password and
> confirm new password (same or not) at the client side? Application doesn't
> send the confirm password at all to the server. It sends only old n new
> password.
> I can only think of violating password policy.
> Any other issues..
> 
> Thanx in advance.
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]