Over-reliance on client-side validation – Security Testing Handbook for Banking Applications

2: Basic Tests and Techniques
38
Solution
Do not cache private data at all, add the relevant HTTP
header directives in the HTTP response for all these pages.
Try and store limited information on the client side; if you
have to do so, obfuscate the information in such a way that
only the application can read and understand the same.
Encrypt all such information wherever you can. Set strict
permissions and access control on all folders that the
application reads or writes to.
Over-reliance on client-side validation
We discussed input validation and how JavaScripts are used
for validating inputs earlier. It becomes a problem when
applications start relying on JavaScript code and do not
revalidate the input on the server.
Consider there’s a login page to an application. The
authentication logic is a file called auth.js which runs on the
client browser. The attacker could modify the JavaScript in
such a way that the user’s password isn’t checked at all
each time the user attempts to login to the application. This
means that if they know the username of the application
administrator they would be in a position to login as that
user.
While we test applications, we make it a point to go
through each and every JavaScript that is being used by the
application to see if it controls any part of the application
logic.