This article about a Domino Pizza website hack brought back memories of discussions I had with developers on Client-side vs Server-side validation. The long story short is no matter how much client side or "pretty" validation you have, no matter what type of app it is (website, desktop, iphone, etc.), DO NOT skip the Server Side Validation! This article explains why and I tried to highlight it below...
- What are we talking about? A Domino Pizza Android app that orders pizza.
- What part of the app had the issue? The part in code where they process the credit card.
- What did they do wrong? They communicated directly from the app to the payment processor (Visa/Mastercard/etc.).
- What's wrong with that? All validation is performed client-side on the Android phone.
- So what? You could simply use a client-side tool like BURP to "fake" the response from the payment processor, enter "APPROVED", and get free pizza.
- How's that? The app is only doing client-side validation, so whatever response the client (Android app) gets back, it trusts, even if it's fake, spoofed, or modified.
- How could they fix it? The Android app should talk to a Dominos Server. The Server should talk to the payment processor. The server does it's validation, orders the pizza, and TELLS the client the results. The Android App just echos to the user the work that the server did.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.