Don’t put JavaScript validation, I’ll Firebug!

by Sachin Posted on April 20, 2008

Recently, I was with my friend to book a cab. The cab service provided an online booking facility which allows you to provide some details (phone number, address, destination and time of cab etc.). We went ahead and tried to book the cab and it wasn’t accepting the request. It seemed that they put a validation to check that user shall not book a cab less than 4 hours prior to departure.

Unfortunately, we wanted to book the cab on a 3 hours notice and it was mandatory for us to book the cab.  We couldn’t resist but started looking for options at our hand. We pulled the website in Firefox and opened firebug to see where the validation is executed. We were surprised by the validation was done in browser using a very simple JavaScript. We thought; let’s see if we could just pass the 4 hours validation by bypassing the validation or maybe mocking the action. The validation code was very simple; we just put the breakpoint in the function and then set the variable value via firebug to an acceptable level. Bang! The code ran successfully and cab service accepted the request.

We made a successful cab reservation and my friend could take a peaceful ride back home!  Moral of the story: Please put all the business critical validations on the server side instead of browser based JavaScript. If you really want to do some browser based validation then it will be really good idea to obfuscate the code.

This entry was posted in Developer, Programming and tagged , . Bookmark the permalink.
  • Adriano Almeida

    And they didn’t at least had a server side validation? OMG!

  • http://ketan.padegaonkar.name Ketan Padegaonkar

    Obfuscation of javascript?

    Real men make get/post requests, javascript hacks is for pu$$!3s ;)

  • http://www.thoguhtworker.in Sachin

    Real men get (or post) things done… building broken linux kernels is for suicide bombers ;)

  • http://siddharthdawara.blogspot.com Sid

    duuuuuuuuuuuuuuude sweet stuff!

  • Mike

    Of course your assumption here is that ordering a cab for pickup in less than 4 hours over the web is a “Business critical function”.

    Assuming that the cab company can make more money for ordering cabs less than 4 hours in advance via some other sales channel, then there is always a tradeoff to be made.

    In this case, if the javascript merely reduces the occurrences then it has done its job. After all not every is as knowledgeable in javascript as you might be, so the small losses from people figuring out this loophole might not necessarily justify the expense of adding code somewhere else.

    Rather than just repeating classic security design patterns, try to grasp a security mindset http://www.schneier.com/blog/archives/2008/03/the_security_mi.html and then you will see that not everything is a security failure, just a tradeoff.

  • http://www.thoguhtworker.in Sachin

    Validations and security are different! Its plain different so I don’t even want to touch upon that point.

    If somebody can’t do good in Javascript I’m fine with it. I believe, the point I want to highlight is not the skills in Javascript or prove that I have better skills. No! Thats not what I want to highlight here either. I guess, you just got a impulse to write response to the post and this how you got everything wrong.

    All I want to say is, any validation which is critical or important should be validated at the server side and response should be given. To just avoid some efforts on server side, putting client side scripts might end you up in such spots. I know not every average user is going to hack and override the business validations but its always good to insist for a better design isn’t it?

  • the Asocial Ape

    thanks for the entertaining story, and the example elucidating this useful maxim.

  • http://pkailasa.multiply.com prakash

    > Moral of the story: Please put all the business critical validations on the server side instead of browser based JavaScript.

    Replace “instead of” with “in addition to” in the above sentence. Javascript/client-side validation can never be a substitute for server-side validation, but complement it. Done right, it can be very useful in reducing unnecessary requests to server and also providing quicker response to your users.

    Love the title of this post!

  • kL

    Obfuscate? Pointless.

    I’ll just disable JS just before sending the form (F12 in Opera).

  • Me

    I think that validating using javascript in this case wasn’t such a bad idea. By putting some non-critical validation on the client you gain in usability and it saves server resources too. Booking a cab within 4 hours before departure isn’t such a big security issue to me.