[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Risk in Validating new password at client side

From: "Joe Yeager" <Joe.Yeager@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Risk in Validating new password at client side
Date: Tue, 7 Aug 2007 13:44:28 -0400

------_=_NextPart_001_01C7D91A.9A22C2FD
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Make sure you always perform both client-side and server-side =
validation.  You should even have different regex's used for validation =
testing in each case.  The client should have basic validation to catch =
most use-cases, and the server should have more advanced whitebox and =
blackbox validation to catch all attacks.  Reason being, if your server =
is using exactly the same regex as the client, someone could analyze =
your client-side regular expression and detect weaknesses in it... then =
create 1 single attack to bypass your validation.  If you have a much =
strong server-side validation, they will have to hammer on the server =
for days to find any weaknesses in the regex... therefore creating a lot =
of traffic to flag on.
=20
Btw, if someone knows how to perform a SQL Injection, you can bet they =
know how to bypass javascript validation routines...
=20
Joe Yeager
Security Engineer
SPI Dynamics

________________________________

From: varenc@gmail.com on behalf of Chris Varenhorst
Sent: Tue 8/7/2007 12:26 AM
To: warl0ck@metaeye.org
Cc: Appsec Punter; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Risk in Validating new password at client =
side



Its not a security problem, but you want to send both passwords to the
server and you want to check it both place. Though not a security
problem at all, its the best thing to do.  The client side is for
usability sake, and the server side checking is for the very small
number of users without javascript, that happen to legitimately
mistype their password.  Its a bit of an edge case, but still valid!

-Chris

On 8/6/07, Pranay Kanwar <warl0ck@metaeye.org> wrote:
> What i have observed, the client side validation is usually for
> the client's (the users) usability, for example checking a valid email
> etc. All the validations should be done again at the server end to
> mitigate any risks.
>
> In your case i don't see any problems as such, only problem being =
checking
> the password for input validation errors such as SQL injections. Also
> the other problem might be that the user has java script turned off.
>
> regards
>
> warl0ck // MSG
>
>
> Appsec Punter wrote:
> > Hi List,
> > What could be the risk/problem if application validates the new =
password and
> > confirm new password (same or not) at the client side? Application =
doesn't
> > send the confirm password at all to the server. It sends only old n =
new
> > password.
> > I can only think of violating password policy.
> > Any other issues..
> >
> > Thanx in advance.
> >
>
>
> =
-------------------------------------------------------------------------=
---
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

-------------------------------------------------------------------------=
---
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




------_=_NextPart_001_01C7D91A.9A22C2FD
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD><TITLE>Re: [WEB SECURITY] Risk in Validating new =
password at client side</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16481" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText4825 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Make sure you =
always perform both client-side and server-side validation.&nbsp; You =
should even have different regex's used for validation testing in each =
case.&nbsp; The client should have basic validation to catch most =
use-cases, and the server should have more advanced whitebox and =
blackbox validation to catch all attacks.&nbsp; Reason being, if your =
server is using exactly the same regex as the client, someone could =
analyze your client-side regular expression and detect weaknesses in =
it... then create 1 single attack to bypass your validation.&nbsp; If =
you have a much strong server-side validation, they will have to hammer =
on the server for days to find any weaknesses in the regex... therefore =
creating a lot of traffic to flag on.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Btw, if someone knows how to =
perform a SQL Injection, you can bet they know how to bypass javascript =
validation routines...</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Joe Yeager</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Security Engineer</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>SPI =
Dynamics</FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> varenc@gmail.com on behalf of =
Chris Varenhorst<BR><B>Sent:</B> Tue 8/7/2007 12:26 AM<BR><B>To:</B> =
warl0ck@metaeye.org<BR><B>Cc:</B> Appsec Punter; =
websecurity@webappsec.org<BR><B>Subject:</B> Re: [WEB SECURITY] Risk in =
Validating new password at client side<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<P><FONT size=3D2>Its not a security problem, but you want to send both =
passwords to the<BR>server and you want to check it both place. Though =
not a security<BR>problem at all, its the best thing to do.&nbsp; The =
client side is for<BR>usability sake, and the server side checking is =
for the very small<BR>number of users without javascript, that happen to =
legitimately<BR>mistype their password.&nbsp; Its a bit of an edge case, =
but still valid!<BR><BR>-Chris<BR><BR>On 8/6/07, Pranay Kanwar =
&lt;warl0ck@metaeye.org&gt; wrote:<BR>&gt; What i have observed, the =
client side validation is usually for<BR>&gt; the client's (the users) =
usability, for example checking a valid email<BR>&gt; etc. All the =
validations should be done again at the server end to<BR>&gt; mitigate =
any risks.<BR>&gt;<BR>&gt; In your case i don't see any problems as =
such, only problem being checking<BR>&gt; the password for input =
validation errors such as SQL injections. Also<BR>&gt; the other problem =
might be that the user has java script turned off.<BR>&gt;<BR>&gt; =
regards<BR>&gt;<BR>&gt; warl0ck // MSG<BR>&gt;<BR>&gt;<BR>&gt; Appsec =
Punter wrote:<BR>&gt; &gt; Hi List,<BR>&gt; &gt; What could be the =
risk/problem if application validates the new password and<BR>&gt; &gt; =
confirm new password (same or not) at the client side? Application =
doesn't<BR>&gt; &gt; send the confirm password at all to the server. It =
sends only old n new<BR>&gt; &gt; password.<BR>&gt; &gt; I can only =
think of violating password policy.<BR>&gt; &gt; Any other =
issues..<BR>&gt; &gt;<BR>&gt; &gt; Thanx in advance.<BR>&gt; =
&gt;<BR>&gt;<BR>&gt;<BR>&gt; =
-------------------------------------------------------------------------=
---<BR>&gt; Join us on IRC: irc.freenode.net #webappsec<BR>&gt;<BR>&gt; =
Have a question? Search The Web Security Mailing List Archives:<BR>&gt; =
<A =
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>&gt;<BR>&gt; Subscribe via RSS:<BR>&gt; =
<A =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS =
Feed]<BR>&gt;<BR>&gt;<BR><BR>--------------------------------------------=
--------------------------------<BR>Join us on IRC: irc.freenode.net =
#webappsec<BR><BR>Have a question? Search The Web Security Mailing List =
Archives:<BR><A =
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR><BR>Subscribe via RSS:<BR><A =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS =
Feed]<BR><BR></FONT></P></DIV></BODY></HTML>
------_=_NextPart_001_01C7D91A.9A22C2FD--

References:
- [WEB SECURITY] Risk in Validating new password at client side
  - From: Appsec Punter
- Re: [WEB SECURITY] Risk in Validating new password at client side
  - From: Pranay Kanwar
- Re: [WEB SECURITY] Risk in Validating new password at client side
  - From: Chris Varenhorst

Prev by Date: [WEB SECURITY] Mozilla Releases JavaScript Fuzzer
Next by Date: [WEB SECURITY] MachineID fingerprinting
Previous by thread: Re: [WEB SECURITY] Risk in Validating new password at client side
Next by thread: [WEB SECURITY] Pictures from WASC/OWASP party in vegas
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site