I have a website where i have implemented google recaptcha, however it does not have server side validation. I want to know if google mandates server side validation. I have search through web but did not found anything on this.
Any supporting document/link on this is appreciated.
Google does not force to perform the server-side validation but this is a necessary step if you want to ensure you are protected.
If you implement a client-side only validation it means there is still a request to your backend which does not enforce the captcha validation, and potentially can be exploited.
Here is an example where at server-side the validation is executed before the action (post comment, save user details, etc..) is performed.
In Scala's Liftweb there are some classes which allow for Javascript to be pushed to the browser via comet/ajax after the page has loaded. Some documentation here.
The usage could be for example when someone submits a form to the server, the form would submit via AJAX and then some Javascript can be sent from the server to the client to show some error message. Well this is just for example, there are better ways to do form validation.
Is there any way to push Javascript from the NodeJS server to the client to do updates? Any standard way to do this? Why I want to do this is that its nicer to have all client and server code located in one server file.
Also as a secondary question, can I access the page data from the server side? It would be nice to be able to query a page element from the server side or query some page data from the server side.
You can build this functionality into socket.io, either by predefining functions based on dynamic objects that are sent bi-directionally, or by building a system which will parse and run javascript from both sides. Depending on what you are trying to do it might take a while to get that working for you securely (not just throwing everything in eval());
http://socket.io/
Alternatively there is a library built on node.js that has this functionality built in. I have not personally used it so I can't attest to the reliability or security of the system, but it should be a good place to start.
http://www.nowjs.com/
https://github.com/Flotype/now
Hope this helps!
I don't quite understand why client side validation is a potential security risk or more of a security risk than server side validation? Can someone give me some scenarios?
Ideally you'd do both client and server side and never one or the other. If we take at look at these 3 scenarios, both is the only secure, user-friendly way to do it:
Client Side Only: As mentioned, it doesn't take much to get around these validations if somebody wants to send malformed data to your server (such as SQL injection). NoScript won't run the javascript validation code, and some browsers allow the user to actively change all loaded javascript and html, so a user could unhook the validation javascript from the controls.
Server Side Only: This one is more secure than Client-only by a long shot, but cuts back on user friendliness. They have to send their form to the server, have it validated and receive the error page back saying a particular field was invalid. What's annoying is that if any of those fields were password fields, their values are not repopulated by default. For example, lets say the user didn't input a phone number correctly in an account creation form. When the server spits back the page about how the phone number is wrong, the user will see that, correct the phone number and hit submit again, just to receive another error page about not having entered a password (and entering it again in it's second textbox) even though that wasn't the initial problem.
Client and Server Side: You get the security of the server side validation, something the user will be hard-pressed to interfere with, and the user friendliness of input validation without having to submit the page (whether you validate through purely local javascript or AJAX).
If you absolutely had to pick one, server side would be the way to go. But you shouldn't ever have to pick one or the other.
Using various tools, such as Fiddler, Noscript, Web Developer, etc., I could disable the client-side javascript validation, and modify the data being sent to your server. Depending on the type of data and what the server does with it, one could initiate a SQL injection attack, attempt to compromise the server security, or simply store bogus data.
A lightweight example: Say you have client-side validation to ensure that a zip code is 5 digits or 5+4 digits. If I disable the client-side script, I could leave my 24-digit value in place. If your server doesn't further check the value, and the database is capable of storing all 24 digits, then I have saved the bogus data.
If you do validation only in client-side, someone may disable javascript (or change the js code, with firebug, for example). So, all validations made in js would be useless and user can insert invalid data in your system.
I assume you're talking about a web scenario?
If you're doing client side validation with Javascript, what happens if the user has Javascript disabled? Then they can submit data to the server that has not been validated.
If they were sneaky, they could even post data directly to your server (bypassing your page completely).
If you do server side validation, in addition to or instead of client side validation, then you have an additional opportunity to defend against these scenarios.
Actually, there is a huge security advantage to client-side validation (in combination with server-side validation). If you validate carefully on the client, then ALL the traffic coming into the server should be clean. Except for the attackers. That makes it possible to do much better server-side attack detection. In the big scheme of things, that's probably the most important thing that you could possibly do to protect your applications. See the OWASP ESAPI IntrusionDetector or the OWASP AppSensor for more on this.
Oh, and obviously if the attack starts and finishes in the client, like DOM-based XSS, then you're going to have to validate and encode on the client-side.
In most web projects, we do both client-side and server-side form validation.
A major part of form validation is error prompt,
the client-side and server-side form validation library probably have implemented this for us,
but the error prompt looks different.
How can I design a consistent error prompt for such a system?
Thanks in advance.
The server-side validation should not be concerning itself with presenting errors to the user. It should simply return messages with details relevant to the hurled exception. The client-side exception handler should intercepted these messages, interpret them if necsseary and display the message to the user.
Well, that's the general principle. If you want specific advice you will need to edit your question to more details regarding your architecture.
I saw a program(RAPGET) which downloads a file from RapidShare for the given link?
I like to design a program like this which gets the information about weather-forecast from a web-page and it should display in the textbox in vb6?
You can call a web service from VB6. Here's "the easy way" to do it.
Or you can ncheck out the replies to this previous SO question.
You can use winHttp component that ship with winxp and above. It ships as a package called BITS [background intelligent transfer service]. Using this you can make calls to Http and Ftp servers. So this will enable your VB6 application to act as an HttpClient which will receive the data from the weather server.
Second thing is the server. You must know in which format you are getting the data from the server. Is it plain text ?, Soap ? or XML ? once you identify the format of data transport you can receive the data from the server using winHttp and parse them in your application and fetch the desired data.
Thanks.