|
|
|
|
|
|
by Cyberdelic
3166 days ago
|
|
|
Not trusting user input is a good start, but the client shouldn't be trusted, either. I have seen plenty of web apps that fell short on this... Whenever I'm on a web app that has a button shown but disabled, you can be pretty sure that I will enable that button and click it... If the client is limiting the maximum length of the contents of a textbox, I'm probably going to change that and see if the server is performing the same validation... My favorite so far, though, was client-side calculation and validation of order amounts for some products. Intercepting the JavaScript file and tweaking it before the browser started using it allowed me to place an older for a bunch of products for only $0.01 (going negative was also attempted, too, but this particular system did a pre-approval with a payment gateway and it didn't like that... so I settled on a penny). These were all things I've done with permission, of course... but it's amazing what you can do when people assume the browser will always follow the rules... |
|
|
Turned out the backend happily took that value and it skewed our average a lot and the next week I was laughing my ass off while HR was trying to figure out why everyone was suddenly so unhappy.