[OWASP_PHPSEC] [Off topic] Recent loopholes discovered in facebook.

Shivam Dixit shivamd001 at gmail.com
Tue Sep 10 02:58:36 UTC 2013

Hello folks,

You all must be aware of the recent loopholes discovered in facebook. In
case you are not, there were two major issues that were put forward. First,
anyone can post on any other person's wall (even if you are not friend with
that person) and second, you can delete *any photo *(even zuckerberg's) !!

After going through the description video of both the attacks I figured out
that exploits were possible just because the content received at server end
was not validated. They were relying on "hidden" input fields and query
strings. Attacks were performed just by manipulating these fields.

I read somewhere that sever load should be minimized by validating user's
input at *client side*. But in application like facebook, a user makes *
hundreds* of request to server, so is it necessary to *validate all those
request*? For example, I am using JS Regular expressions to check if user's
input is of required format or not but before inserting it in database do I
need to re validate it server side because attacker might trick JS ? Will
it not affect performance of application as both client side and sever side
validation will take place?

My question is, what is the correct/standard method for validation ? Client
side or server side or both ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130910/553e3cf5/attachment-0001.html>

More information about the OWASP_PHP_Security_Project mailing list