Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69486
interpreted = N
texte = Clint Davis wrote: > Donovan, > > We use Scan Alert too, and we've had several XSS vulnerabilities discovered. > Basically, you don't want to blindly display incoming variables on your page > - they need to be cleansed. Here's some code we developed to clean things > up: > > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] > [formvariables] > [text]clean_[name]=[grep > search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] > [/formvariables] > > Then use [clean_variable1], [clean_variable2], etc. to display the > information on the page. > > For more on the dangers of XSS, read the "Exploit Scenarios" section of this > page: http://en.wikipedia.org/wiki/XSS !@#$ script kiddies. How do they have that much time? Thanks for the cleansing ideas... This is not a banks website or anything such as that, so encoding the suspect characters will be sufficient in this case. I took a bit of time to get my head around the scope of this type of attack. It seems to me that as long as one uses basic secure coding techniques, ie. no sensitive info in cookies or embeded in the code (namely price change password), no re-displaying of credit card info etc., that it would take some really dedicated and ingenious cracker to glean anything from XSS... however, I guess there are those out there who make it their mission... Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Clint Davis wrote: > Donovan, > > We use Scan Alert too, and we've had several XSS vulnerabilities discovered. > Basically, you don't want to blindly display incoming variables on your page > - they need to be cleansed. Here's some code we developed to clean things > up: > > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] > [formvariables] > [text]clean_[name]=[grep > search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] > [/formvariables] > > Then use [clean_variable1], [clean_variable2], etc. to display the > information on the page. > > For more on the dangers of XSS, read the "Exploit Scenarios" section of this > page: http://en.wikipedia.org/wiki/XSS !@#$ script kiddies. How do they have that much time? Thanks for the cleansing ideas... This is not a banks website or anything such as that, so encoding the suspect characters will be sufficient in this case. I took a bit of time to get my head around the scope of this type of attack. It seems to me that as long as one uses basic secure coding techniques, ie. no sensitive info in cookies or embeded in the code (namely price change password), no re-displaying of credit card info etc., that it would take some really dedicated and ingenious cracker to glean anything from XSS... however, I guess there are those out there who make it their mission... Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

New NT beta available (1997) Running _every_ page through WebCat ? (1997) Before I Can Begin . . . (1998) Proposed FormVariables hierarchy (2000) X etc.... (1999) [ModDate] & [ModTime] ? (1997) WC2b15 - [HTMLx]...[/HTMLx] problems (1997) Re1000001: Setting up shop (1997) vs (1997) looping through the headers of an orderfile (2000) OT: JavaScript question (2001) Using Applescript to process WebCatalog functions (1998) Document Contains No Data! (1997) Lookup within a Search (2005) Execute Applescript (1997) WebDNA v6 & MySQL (2008) carriage returns in data (1997) WebCommerce: Folder organization ? (1997) Max Record length restated as maybe bug (1997) can WC render sites out? (1997)