Web Application Security
In most of today’s web application development, the issues on security requires much effort and rigorous planning. Unfortunately web application security is quite often underestimated, neglected or even worst, completely ignored. Security in itself is a complex and vast subject, and for the purpose of this text, I will prioritize my effort on the aspect of “data validation”.
The problem occurs when a site relies only upon client-side JavaScript to validate data, or when the JavaScript and server-side validation get out of sync. At first, this may not be an issue or a priority for the development team. Like most common web applications, your site probably uses JavaScript to validate form data and consequently finds user/input errors immediately. The user is quickly prompted for a correction and in return you are happy to have avoided useless transactions between the client and server. Brilliant indeed!
But, at best, if a site is relying only upon JavaScript validation, someone who has JavaScript disabled may accidentally introduce erroneous data. Yet the real concern is when someone introduces malicious statements in your data fields. If a form field is simply put in a database without further verification, someone may be able to modify or delete data by submitting a database command.
The rule of thumb is that all data which arrives from the client-side must be validated and sanitized before being processed by the server. If data is not properly validated, it may lead to:
- Data Corruption
- Database Privilege Escalation
- Database/Server Hijacking
JavaScript can be a server-side security risk because most programmers write client-side data-validation code, but neglect to write that same kind of validation logic on the server side. When you omit to write such code, you become vulnerable to any hacker with a malicious intent. You’ve got to remember that JavaScript is available in plain-text format on each of your web pages and is readily accessible by anyone.
Data can be validated on:
- Client side - optional but recommended for an enhanced user experience
- Server side - mandatory and all efforts should be prioritized here first
But “JavaScript form-validation duplicates coding effort” you may proclaim! And you are quite right too. It’s time consuming to write both the JavaScript validation functions and then write the same or similar code for your server-side application. Or even worst, you write both client and server side logic, but in time, your requirements change and you end up with validation code which is out of sync. Priority should always be given to the server-side validation code before any of the client-side JavaScript routines. Oddly enough, real-world experience has shown me that this isn’t the case at all. A well balanced web application will have just the necessary validation code in order to provide the users with an enhanced experience or some optimizations and a larger amount of server-side validation code. In time, as your web application matures, you may add additional client-side validation. But initially, the importance of it all is to balance your security efforts and know where to prioritize.
It is crucial to adopt a security plan during the application development life-cycle, which identifies critical security aspects. Architects, designers and developers today must design security into their applications proactively.
