Time and again, there are countless number of articles written on not to trust user input and do a server side validation of all input. There are quite a lot of libraries in all imaginable languagues that make server side validation very easy.

But time and again, every other site pops up that have only client side validation. One such site is http://www.cinetickets.in/. The site has a registration page. The first field required is called “user id” and we have to give our phone number. What crap!

On firefox, there is a superb toolbar called the Web Developer toolbar. Once installed, you can play with all components of the page, including cookies, headers, scripts … anything. That “user id” field accepts only numbers. Hence, I disabled all javascripts on the page, entered some text, filled up the rest of the page and clicked on Submit. Guess what? The page registered perfectly. With scripts disabled, I’m able to login also.

I went back to the registration page again (with all javascript disabled ofcourse!) and clicked on Submit without giving any data. The site throws an error message saying that the user is already registered. LMAO.

With such crappy validation schemes, I’m pretty sure that there are no server side validations being done as well. They are just taking data from the client and pushing them into a database (most probably MySql) without sensitive data being encrypted (they accept credit card details etc.). Assuming I’m a hacker, the site can be brought down within a few minutes! Looks like the CineTickets website is programmed by a company called EvinceTech.com. Don’t ever outsource your website development there. It’s very easy to conclude that they are a shit load of programmers.

Anyways, I found an awesome PHP script some days ago that filters out dangerous tags from strings. The script is available here. I encourage everyone to use it, if you can’t/don’t-want-to write one on your own.

3 Responses to “Server Side Validation – Importance”

  1. Aship De Says:

    Another useful script like the PHP class you mention is htmLawed. Besides filtering admin-specified HTML tags, attributes, etc., it can also balance and properly nest HTML tags, transform deprecated tags and attributes, and so on.

  2. Technodude Says:

    htmlspecialchars() would do just fine most days !

  3. Waves » Blog Archive » Dissecting iMobile - Security Analysis of ICICI Mobile Banking App Says:

    […] Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, extract it, decompile […]