Design Patterns    |     Security    |     Testing    |     Distributed Computing    |     Contact
Software Security

Arguably, the root of all evil in software security is improper input validation. The best network security may be rendered useless if the malicious input values enter trough the “main door” which usually is the HTTP protocol and the always-open port 80.

Data must be validated as it crosses the boundary between untrusted and trusted environments. Trusted data is data you or an entity you trust has complete control over.

Client Side Validation

The input is validated using JavaScript right after the user has entered it.

- the user is asked to correct the input right away without a round-trip to the server
- improves application response time
- browser compatibility issues
- vulnerable to attack
- limited validation features

There are several free tools (e.g. WebScarab) that allow to intercept the request sent by a browser, modify it then send it to the server. The request modifications performed using these tools may render all client side validations useless. For example, you can replace a valid 5 digit string with a 1MB string which if not properly server-side validated will crash the server.

There are attacks that cannot be detected by client side validation. These attacks can be prevented only by proper server side validation. An example is tampering with URL. For example:

In the above examples the hacker noticed that requests are done trough DO GET HTTP commands. He also noticed what the parameters and values are. Just by simply typing the modified URL in a browser he may get access to private data This kind of modification is impossible to detect by client side validation

Tampering with cookies is another client side vulnerability. Cookies are small pieces of data that are generated by server and stored in the browser Once received by browser, the cookie is stored and sent back to the server along with each subsequent request. Cookies are used for session management and for storing user preference information. Cookies can be modified, for example using Mozilla Firefox. Cookie management is usually done by the application server and therefore cookie vulnerabilities do not get enough attention from programmers. There is little or no client side validation done for verifying cookies.

Server Side Validation

It is done after the request has been received by the server. Much more difficult to hack than client side validation.

A good design requires that all validations are done in a central point server-side.

Web application frameworks come with server side validation support. The most popular (in Java world) are Spring and Struts.

For example, in Struts, validation can be implemented by: declare application-wide properties file, add messages to properties file, turn on the automatic validator, put validation rules in validation.xml, put in input page

Validation Approach

Perform client side validation in order to prevent a round trip to the server and improve response time

Do not trust client side validation

Always perform server side validation, for all input values