Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69485
interpreted = N
texte = Donovan, We use Scan Alert too, and we've had several XSS vulnerabilities discovered. Basically, you don't want to blindly display incoming variables on your page - they need to be cleansed. Here's some code we developed to clean things up: [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] [formvariables] [text]clean_[name]=[grep search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] [/formvariables] Then use [clean_variable1], [clean_variable2], etc. to display the information on the page. For more on the dangers of XSS, read the "Exploit Scenarios" section of this page: http://en.wikipedia.org/wiki/XSS On 11/14/07 6:58 PM, "Donovan Brooke" wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm= > browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/sh > op_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Donovan, We use Scan Alert too, and we've had several XSS vulnerabilities discovered. Basically, you don't want to blindly display incoming variables on your page - they need to be cleansed. Here's some code we developed to clean things up: [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] [formvariables] [text]clean_[name]=[grep search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] [/formvariables] Then use [clean_variable1], [clean_variable2], etc. to display the information on the page. For more on the dangers of XSS, read the "Exploit Scenarios" section of this page: http://en.wikipedia.org/wiki/XSS On 11/14/07 6:58 PM, "Donovan Brooke" wrote: > Hello, > > I am working with a client that uses a service called > "hacker safe". They notified me of a "volnurability" > in a site I've been working on that involves sending > javascript in a URL. I am trying to determine the > scope of this "volnurability" as it seems just about > every dynamic site on the planet is suseptable to this. > > For example, use this URL to access the Apple store > which appears to be volnurable in the same way. > (you may have to repair email linebreaks before using): > > http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore.woa/wa/RSLID?nnmm= > browse&mco=%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22&node=home/sh > op_iphone/family/iphone > > > What kind of "harmful" javascript could replace the > non-harmful example 123 script?... > > Hacker Safe says: > The damage caused by such an attack can range from stealing > session and cookie data from your customers to loading a > virus payload onto their computer via browser. > > stealing "session" info does not sound good... I never > store anything sensitive in cookies, so I don't think > that is a problem. I have no idea what "loading a virus > payload onto their computer via browser" means. > > What's your thoughts? > > Donovan ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Clint Davis

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WC Database Format (1997) European Convention (2004) E-mail/Invoice (1998) FEA REQ: One .hdr, multiple .db's (2003) carriage returns in data (1997) WYSIWYG Editor? (2006) Frames and WebCat (1997) [WebDNA] TCPConnect assist (2016) fresh eyes needed. Append won't work. (2000) NT b19 sends extra MIME headers (1997) Database and Log file merged..... (2000) New Featured Site (1999) Intranet Edition (2004) Something wrong with this list? (2006) PSC recommends what date format yr 2000??? (1997) [WebDNA] WebDNA Email Auth Functioning? (2014) Webstar 1.3.1 PPC (1997) TCPConnect, Form Post, Template Variable (2003) Multiple prices (1997) Prices Dropped (1998)