How to validate postback data in web applications

Question

Consider a hypothetical bank application, where we have accounts and some group of admins. Each admin has modification rights on some of accounts. To save modifications done for an account, application sends account id on edit page. A admin can change post request by using tools like fiddler. If he/she changes account id to some account id on which he/she is not authorized. Then what is the best way to detect it.

What strategy should I use to re-validate every piece of data for authorization on post-back? My concern is more towards design, not code.

In other words, how real world applications make sure that even if user is changing postback request from any tool, application is able to detect it.

Answer 1

Should I re-validate every piece of data for authorization on post-back?

Yes, that is correct. You should start with a 'All input is evil' philosophy and then prove that statement incorrect by validating each data point. If your entire data doesn't pass your validation, then your input is indeed evil.

Smart web applications employ both client-side and server-side validation. Client-side validation to quickly alert user on whats wrong/missing without making a server round trip and server-side validation to make sure that wrong data doesn't fall through the cracks even if someone 'fiddles' with the client side validation code (and overrides it).

Unfortunately, encrypting the data on client side won't work as then you have the keys on the client side (in JS code) as well. That won't prevent a malicious user to encrypt a malicious payload. Also obfuscations like hidden field etc. are inefficient for a malicious attacker. FYI, you don't even require fiddler to change fields/post params etc. - all you require is a firebug extension.

The mantra is "Validate every thing on server side". Period.

Answer 2

For Critical Applications Like Banking, i will suggest follwing security steps

1) Send Encrypted Account ID 2) Keep that account id in a hidden field and when user post data take account id from hidden field not form the textbox or label. 3) re-validate every piece of data for authorization on post-back.