How to prevent attacks against client side validations?

To do 10 checks on the server side is likely not going to put any real stress on your server. Unless you are at the point of thousands of request per second, you will be okay. At that point, you would probably implement clustering, etc. Security is always worth the extra cycles. Client side validation is never sufficient. When you think about validation, you should think about filtering RAW HTTP without regard for the fact that the "browser" may have generated the content.

Even if there is client side validation, there are still Man-in-the-middle attacks, where they can change the content of the raw HTTP request after the validation has occurred. Client side validation is really for end user convenience so they don't submit, then get an error message and have to resubmit. I would not consider client side validation in a browser based application to provide any security for processing being done on the server.

As for how an attack can modify your validation, it would depend on many things. For example, what are the dynamic values on the page - do you take parameters from the query strings (GET parameters) without filtering? This could lead to XSS or CSRF attacks because they can change those values and your application will process them. Of course you can protect against this with proper escaping and other techniques. The attack may also have loaded some type of user script or proxy which can inject code into the page.

Since you are using "reflected", you may want to read more specifically about a "reflected XSS", which is just one type of attack vector. From OWASP:

Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server.


you already know what to do,,,the problem is you have more things to validate. Simple answer is if you want secure things, do all the validations in server side. What ever you've done for client side things, hackers can see them and can change.

(do not forget about mitm attacks. client side validation not gonna help)


You have ZERO control over what a user submits to the server. A fundamental security concept is never trust the user, and this applies in cases such as these. Use your client side protections to prevent accidental malformed requests (person mistypes) and for convenience reasons. Trying to harden these checks to become 'secure' is fundamentally flawed.

Ensure all your security validations are done server side, regardless of how much load it in turn puts on your server, unfortunately you don't have any other choice.