mailing list archives
From: Valdis.Kletnieks () vt edu
Date: Thu, 06 May 2010 08:56:23 -0400
On Thu, 06 May 2010 01:03:09 PDT, Ed Carp said:
Just for clarification, the business wants to put client-side
out how to protect the back-end web services...sigh...
Get a copy of Firefox. Install the Tamper Data extension:
figuring out what you're sending to the web site.
other (potentially tampered) requests.
These are basically special cases of a more general principle: You can't
depend on enforcing security using code that's running under the control
of the attacker. Unfortunately, a lot of people in this industry don't
Your best strategy for securing the back end is to simply forget about the
send you malicious crafted requests (xss, sql injection, forged session
cookies, or whatever). In general - if it makes you say "Oh, receiving *that*
would suck", it will be sent. And the more suckage it would cause, the
more you should expect the tampered request.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/