[Javascript] DevToolbar
Brian L. Matthews
blmatthews at gmail.com
Wed Feb 15 14:53:58 CST 2006
>This monday someone in this list alerted me about the Microsoft DevToolbar.
>A great plugin for webdevelopers, similar to firefox tools etc.
>But also a great "hacker"-tool as i discovered, testing it out on our
>(asp-vb) intranet application.
>I can rewrite inputs sothat all validation is "erased", create buttons
>executing javascript, etc, causing me to have some questions i want to share
>with you:
None of this is new with the toolbar. As you say, similar tools have
been available on Firefox for a while. But even without such tools, I
can run with JavaScript off, or save your web page and modify it, or
even just telnet to your server and send whatever I want.
>I wonder if these tools mean the end of javascript as a browserside
>validator? What is the point in validating clientside, if you have to
>rewrite the code on the server?
You've always had to validate on the server. Client side validation
is a convenience for users, so they can be told immediately that
something's wrong instead of waiting for a round trip to the server.
If you've been relying on client side validation, you've been
building very unsafe websites.
>Is the aspnet viewstate a defence against this kind of pagetampering, or
>does it also simply accept changes? How do other languages protect
>themselves?
>Is there any easy way of protecting the pages against these tools?
You simply have to validate all input. Some frameworks will do some
of the work for you, but if you're not using them or not using their
validation, then you need to do it yourself.
Brian
More information about the Javascript
mailing list