Sunday, August 28, 2011

Data validation, take it seriously

We just heard that we might be stuck in Washington DC for a few hours due to a defect of our plane's backup generator. We decided to notify our hotel we might be running late.

Surfing to the contact page on their site, we found out that we couldn't enter our European mobile phonenumber in the required (!) telephone number field.

Unable to find the direct email address of the hotel, I opened the developer tools and had a look at the validation script.


Instead of even trying to understand the regular expression, I just redefined the validation function using the console and retried sending the message.


Not so suprisingly, judging by the cheesiness of the hotel's website, our message was sent successfully.

According to the OWASP, the number one security risk for web applications in 2010 is failing to validate untrusted data.

Seriously, take data validation seriously. Don't make a fool out of yourself.

No comments:

Post a Comment