Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69485
interpreted = N
texte = Donovan, We use Scan Alert too, and we've had several XSS vulnerabilities discovered. Basically, you don't want to blindly display incoming variables on your page - they need to be cleansed. Here's some code we developed to clean things up: [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] [formvariables] [text]clean_[name]=[grep search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] [/formvariables] Then use [clean_variable1], [clean_variable2], etc. to display the information on the page. For more on the dangers of XSS, read the "Exploit Scenarios" section of this page: http://en.wikipedia.org/wiki/XSS On 11/14/07 6:58 PM, "Donovan Brooke" wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm= > browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/sh > op_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Donovan, We use Scan Alert too, and we've had several XSS vulnerabilities discovered. Basically, you don't want to blindly display incoming variables on your page - they need to be cleansed. Here's some code we developed to clean things up: [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] [formvariables] [text]clean_[name]=[grep search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] [/formvariables] Then use [clean_variable1], [clean_variable2], etc. to display the information on the page. For more on the dangers of XSS, read the "Exploit Scenarios" section of this page: http://en.wikipedia.org/wiki/XSS On 11/14/07 6:58 PM, "Donovan Brooke" wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm= > browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/sh > op_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Clint Davis

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[searh] or [shownext]problem (1998) Summing fields (1997) math/text variable limits per page (2001) Template Security error (1997) 'does not contain' operator needed ... (1997) # fields limited? (1997) target=_blank and form variables (1997) [AppendFile] problem (WebCat2b13 Mac .acgi) (1997) Sendmail for intranet server (2004) Bug (feature) in v6 listfiles shows hidden files ... (2004) [WebDNA] WebDNA 8.2 Ubuntu 14.04 - Mail Pref Error (2017) Summing fields (1997) [WebDNA] Some news (2010) Pithy questions on webcommerce & siteedit (1997) Re:Change WebDNA-Talk Mail due to no digest for 1wk (1997) Emailer help....! (1997) ShipCost Data Base (1998) [lowercase] context? (1999) New NT beta available (1997) Re:Signal Raised (1997)