[OWASP ASVS] Client-side verification?

Jim Manico jim.manico at owasp.org
Tue Sep 6 18:47:31 UTC 2016


> Umm... is client-side validation not said to have no security benefit
whatsoever?

Client side validation is a valuable intrusion detection technique for
defense as well.

If you do both client side and server side validation, then how many
server side validation errors should you get? None. And if you do,
you're under attack or someone is using an interceptor to mess with your
app.

Early intel on attacks is your friend.

But still, I get the weaknesses of client side validation and this might
be confusing for some.

- Jim


On 9/6/16 3:30 AM, TGHCagent wrote:
> Attacks on the DOM ?
>
> On 6 September 2016 at 14:12, Safuat Hamdy <safuat.hamdy at secorvo.de
> <mailto:safuat.hamdy at secorvo.de>> wrote:
>
>     Hi,
>
>     can someone please enlight me on the purpose of ASVS requirement
>     V5.18:
>
>         Verify that client side validation is used as a second line of
>         defense, in addition to server side validation.
>
>
>     Umm... is client-side validation not said to have no security benefit
>     whatsoever?
>
>     And why should I verify that it is there? If an application
>     doesn't provide client side verification, does it fail this
>     requirement?
>
>     I mean, as a convenience function to alert users to undesired input,
>     yes, but as a security requirement? Have I missed something?
>
>
>     Regards
>
>     -- 
>     --------------------------------------------------------
>
>     Dr. Safuat Hamdy
>     Security Consulting
>
>     Secorvo Security Consulting GmbH
>     Ettlinger Strasse 12-14, D-76137 Karlsruhe
>     Tel. +49 721 255171-304 <tel:%2B49%20721%20255171-304>, Fax +49
>     721 255171-100 <tel:%2B49%20721%20255171-100>
>     safuat.hamdy at secorvo.de <mailto:safuat.hamdy at secorvo.de>,
>     http://www.secorvo.de
>     PGP: 6A83 EC49 8474 D77C 1258  AE91 4BB4 8DEE 952A 2506
>
>     Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox
>     _______________________________________________
>     Owasp-application-security-verification-standard mailing list
>     Owasp-application-security-verification-standard at lists.owasp.org
>     <mailto:Owasp-application-security-verification-standard at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard
>     <https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard>
>
>
>
>
> _______________________________________________
> Owasp-application-security-verification-standard mailing list
> Owasp-application-security-verification-standard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-application-security-verification-standard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-application-security-verification-standard/attachments/20160906/da615a0a/attachment-0001.html>


More information about the Owasp-application-security-verification-standard mailing list