[OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69481
interpreted = N
texte = Hello, I am working with a client that uses a service called "hacker safe". They notified me of a "volnurability" in a site I've been working on that involves sending javascript in a URL. I am trying to determine the scope of this "volnurability" as it seems just about every dynamic site on the planet is suseptable to this. For example, use this URL to access the Apple store which appears to be volnurable in the same way. (you may have to repair email linebreaks before using): http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm=browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/shop_iphone/family/iphone What kind of "harmful" javascript could replace the non-harmful example 123 script?... Hacker Safe says: The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser. stealing "session" info does not sound good... I never store anything sensitive in cookies, so I don't think that is a problem. I have no idea what "loading a virus payload onto their computer via browser" means. What's your thoughts? Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Hello, I am working with a client that uses a service called "hacker safe". They notified me of a "volnurability" in a site I've been working on that involves sending javascript in a URL. I am trying to determine the scope of this "volnurability" as it seems just about every dynamic site on the planet is suseptable to this. For example, use this URL to access the Apple store which appears to be volnurable in the same way. (you may have to repair email linebreaks before using): http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm=browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/shop_iphone/family/iphone What kind of "harmful" javascript could replace the non-harmful example 123 script?... Hacker Safe says: The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser. stealing "session" info does not sound good... I never store anything sensitive in cookies, so I don't think that is a problem. I have no idea what "loading a virus payload onto their computer via browser" means. What's your thoughts? Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Frames and WebCat (1997) WebCat2b12--[searchstring] bug (1997) notification solutions (1997) Beta 18 (1997) NT or Mac (1998) Erotic Sites (1997) Off the subject... a bit (2000) Country & Ship-to address & other fields ? (1997) cart converting to scientific notation format (2001) Webcat no longer supported? (2006) (2000) Admin Edit prob. (1997) Problem 2: Prefs file... (1997) Searching for the end (1998) F*** you (1998) ARGH! (2004) Server crash (1997) Help! WebCat2 bug (1997) Sendmail and textarea (1998) Protect vs Authenicate (1997)