quick validation method - validation

i have a form with 20 fields .. i have 2 options ...one to validate on client side and another on click of submit button do a validation from server side using ajax and show result.....
which 1 to choose...which is faster server side or client side..
i am developing a application ..its not a website.

i would do both.
client side should be easy with jquery validation plugin if the form is nothing out of the ordinary.
server side if you use any framework at work, it could be quick. if not it's just a lot of typing.

Always do server-side, regardless of speed. Client side is optional and will be faster, but can be disabled by disabling Javascript, and you do not want to implicitly trust user input.

Related

Risk of Manipulation of Ajax Code by Client

As I found, it is possible to manipulate and change Ajax code in browser console by client. For example, Ajax wants to call a method and pass id to controller. As I mentioned above, how we can secure our code from interference by client?
Thank you all
Security must always be implemented on the server side, because anything you do on the client side can be ignored, overstep, modified, etc very easily. In fact, anyone can use software like Postman to make a completely custom HTML request to any server.
Don't ever rely on any client-side software in terms of security for your server. If you want keep your server safe, then make a safe server.

Where do AJAX requests in an MVC application enter the server side code initially?

To keep it simple I have a feedback form on my website. Whether or not the following is best practice is moot as I'm interested in the way this works. The customer can fill out their name, email address and reason for feedback on the form. This is then posted via AJAX to a server side function called SendFeedback. I am using .NET MVC4 and the SendFeedback method simply returns a true or false string. However I was testing out sending scripts through it to check out the security of the form and noticed that when I attempted to send through HTML tags or javascript that the SendFeedback method wasn't being invoked at all and instead my custom error page was being sent back to the client side AJAX response (if I sent though standard text, the SendFeedback method was being invoked as expected). Where is the first place that AJAX data is sent before it is passed into the server side method I am calling from the client? Is there any way to set a breakpoint here so I can examine what is going on?
This is part of an ASP.NET feature called request validaiton which is turned on by default. And which executes in ASP.NET handler before your code. If you desire, this feature can be turned off in web.config, but I would strongly advise against it.
More information on request validation can be found in MSDN.

Security concerns for Ajax using chrome inspect

I am making one website in which the form is submitted using jQuery ajax. I have taken care of most of the security majors like HTTPS, session cookie, encryption etc.
Hence I have minimised the possibility of outside person sniffing or modify my data transfer.
But there can be a valid registered user who wants to play havoc by using Chrome inspect element. He can for example create a for loop in which is calls my jQuery ajax post call.
Can this be possible? How can I avoid this? I am unable to find a better alternative & resort once again to basic form post instead of ajax.
Thanks.
Anything you present client side can be messed with. A user will always be able to modify your front end code, and do what they want with it. This is why you need server side validation.
If you are worried about a repeating post call, it sounds like you are worried about a DOS attack I guess?
Your server configuration should be set up to detect frequent requests from the same user and deny service to it.

which side should I validate the form data, client side or server side?

At first, I intend to get the validation done on the client side by javascript or jquery, something like that, but then I realize that some malicious users may skip my jsp page, sending data which is not been validated to my servlet. My server end is structured using Spring+SpringMVC+mybatis, is there any way that I can keep the validation on client side, as well as keep my server safe(does spring security help?).Thanks a lot!
You should always validate on the server side.
Validation on the client side is only for convenience of your (honest) users and adds nothing to the security of your system.
The server-side validation must always be done and nothing will make your server automatically safe (safe from what? you have to decide what input is safe for your application, your database, your users, how it will be used etc.).
The only easy way to reuse your client-side validation code on the server side is to use Node.js or other server-side JavaScript like Rhino.
Unfortunately not, you need to validate server side to keep it safe.
Any thing you do client side can be undone by a malicious user. Generally, client side validation is used for quicker feedback to the user and to prevent your server getting too many hits. So it is still very beneficial, but you will need both.

What validation should I use

I am working on a J2EE web application
Here we are using JSP and Struts
I know one can use
Client side validation (Using JavaScript)
Server side validation (Using Validation framework)
My question is which way is more proper and one should use in application and why?
You have to use both.
Server side validation is required so that nobody can use malformed queries and gain access to your data. You must do server side validation because anybody can submit malformed queries to your page directly (rather than going through your client side scripts)
Client side validation is only to help innocent users submit correct data in case they were making a mistake which would have cost an entire trip to the server and a page reload to be detected and displayed otherwise.

Resources