App Architecture with Security in mind - Video, Part II
In my previous post [part I] I've showed why it is important to do server side input validation and how easy it is to by pass any client side input validations for web services invocation scenarios. Actually anything that utilizes HTTP is pretty easy to intercept and change on the client - classic Web UI, Web Service, and AJAX. One can use http debugging/proxy tools like fiddler. I show this demo to folks and sometimes I hear "Hey it is not relevant to us - we are using Remoting over TCP channel, we are safe - it is binary encoded". I must agree that I had some hard times to find the tool that does interception for remoting traffic - I did not find it so I decided to write one for proof of the concept. Luckily remoting offers rich interception functionality - called sinks. I utilized this and created such interceptor. So watch the video. Double click it to see it in full screen mode.
Sorry for the bad quality - needed to cut the movie and reduce the quality to make the file smaller.
Make sure you do input validation on the server next time - not on the client. Unless you do not care for security...
Next demo to come is for WCF... will take some time but it will come