Wednesday, April 20, 2016

DO NOT Skip Server Side Validation

This article about a Domino Pizza website hack brought back memories of discussions I had with developers on Client-side vs Server-side validation. The long story short is no matter how much client side or "pretty" validation you have, no matter what type of app it is (website, desktop, iphone, etc.), DO NOT skip the Server Side Validation! This article explains why and I tried to highlight it below...

- What are we talking about? A Domino Pizza Android app that orders pizza.
- What part of the app had the issue? The part in code where they process the credit card.
- What did they do wrong? They communicated directly from the app to the payment processor (Visa/Mastercard/etc.).
- What's wrong with that? All validation is performed client-side on the Android phone.
- So what? You could simply use a client-side tool like BURP to "fake" the response from the payment processor, enter "APPROVED", and get free pizza.
- How's that? The app is only doing client-side validation, so whatever response the client (Android app) gets back, it trusts, even if it's fake, spoofed, or modified.
- How could they fix it? The Android app should talk to a Dominos Server. The Server should talk to the payment processor. The server does it's validation, orders the pizza, and TELLS the client the results. The Android App just echos to the user the work that the server did.
- How does that help? Think of any client device (Phone, Computer, Browser) as completely customizable and owned by the user. They can intercept, change, and manipulate anything they want on their end. A good example is in a web browser, if you have client-side javascript or jquery validation, a user can turn that off simply by disabling javascript. Thus the reason why it's insufficient to perform data integrity checks client-side only. So by shifting the payment processing to the server, and having the server preform that validation, it ensures that a client cannot manipulate, fake, spoof, or modify requests or responses to/from the payment processor. Thus no more free pizza.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. php injection ali.txt walk-thru

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment