[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Risk in Validating new password at client side

From: "Chris Varenhorst" <varenc@xxxxxxx>
Subject: Re: [WEB SECURITY] Risk in Validating new password at client side
Date: Mon, 6 Aug 2007 16:26:34 -0700

Its not a security problem, but you want to send both passwords to the
server and you want to check it both place. Though not a security
problem at all, its the best thing to do.  The client side is for
usability sake, and the server side checking is for the very small
number of users without javascript, that happen to legitimately
mistype their password.  Its a bit of an edge case, but still valid!

-Chris

On 8/6/07, Pranay Kanwar <warl0ck@xxxxxxxxxxx> wrote:
> What i have observed, the client side validation is usually for
> the client's (the users) usability, for example checking a valid email
> etc. All the validations should be done again at the server end to
> mitigate any risks.
>
> In your case i don't see any problems as such, only problem being checking
> the password for input validation errors such as SQL injections. Also
> the other problem might be that the user has java script turned off.
>
> regards
>
> warl0ck // MSG
>
>
> Appsec Punter wrote:
> > Hi List,
> > What could be the risk/problem if application validates the new password and
> > confirm new password (same or not) at the client side? Application doesn't
> > send the confirm password at all to the server. It sends only old n new
> > password.
> > I can only think of violating password policy.
> > Any other issues..
> >
> > Thanx in advance.
> >
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] Risk in Validating new password at client side
  - From: Joe Yeager

References:
- [WEB SECURITY] Risk in Validating new password at client side
  - From: Appsec Punter
- Re: [WEB SECURITY] Risk in Validating new password at client side
  - From: Pranay Kanwar

Prev by Date: Re: [WEB SECURITY] Risk in Validating new password at client side
Next by Date: [WEB SECURITY] Pictures from WASC/OWASP party in vegas
Previous by thread: Re: [WEB SECURITY] Risk in Validating new password at client side
Next by thread: RE: [WEB SECURITY] Risk in Validating new password at client side
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site