1

I use a hidden variable (input type=hidden) to store ID information on a page. To prevent attackers, I decided to encrypt the data stored using System.Security.Cryptography.

The hidden variable is accessed in JS and executes validation logic. I will need to decrypt the data before executing the validation logic. Is there a way to decrypt data in JS that was encrypted using System.Security.Cryptography

Improve this question
1
  • 3
    If you can decrypt it using JavaScript on the client side, so can any attacker. This approach is flawed for that reason. The Validation logic also needs to be done server side. You should never trust client side validation for anything that could potentially hurt your site. Commented Dec 31, 2009 at 14:34

1 Answer 1

Reset to default
8

If you can decrypt it using JavaScript on the client side, so can any attacker. This approach is flawed for that reason. The Validation logic also needs to be done server side. You should never trust client side validation for anything that could potentially hurt your site.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Agreed. Any validation logic should happen on the server side. You can't trust ANYTHING that happens on the client side.
I do JS validation for convenience (no round trip) and validate on server side as I don't trust the client side script. With this approach, I have to eliminate client side validation?
@TechPriester quite correct. I use Java Script for client side validation of formatting and whatnot, but I double check that against server side validation. The only reason I even have it on the client side is to have immediate feedback for the user regarding formatting (Things like letters in a credit card number box, etc).
I wish I could upvote this answer a thousand times. Do not -ever- use javascript to store sensitive information.
If I store data in the hidden input variable, I am able to access it on the client side. If I do not do this, what is the best approach for accessing this data from a JS function?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.