Re: [WebDNA] PCI Vulnerability testing
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 102408
interpreted = N
texte = I'm guessing that is to take out the long cart number from the URL.You could redirect to [thisurl] if you wanted.BillOn Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones
wrote:> Hi Matthew,> Any specific reason you redirect to the index page?> -Jeff> On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:>> This seems to work for me.> It seems to stand up to the attacks from McAfee Secure>> [formvariables]> [showif [url][name][/url]^script>][redirect /index.html][/showif]> [showif [url][name][/url]^iframe][redirect /index.html][/showif]> [text][url][name][/url]=3D[input][value][/input][/text]> [/formvariables]> [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif=]>> Matthew A Perosi JewelerWebsites.com> ------------------------------by Psi Prime-------> Senior Web Developer 323 Union Blvd.> Totowa, NJ 07512> Pre-Sales: 888.872.0274> Service: 973.413.8213> Training: 973.413.8214> Fax: 973.413.8217>> http://www.jewelerwebsites.com> http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc> http://www.psiprime.com>> Marc Thompson wrote:>> You are correct Willian NEVER trust user input.> What I always do is simply remove any characters I don't recognize using> grep. All user input is "cleaned" before taking any action on it> whatsoever.>> For [cart] values:> [GetChars start=3D1&end=3D20][Grep> search=3D[^0-9]&replace=3D][value][/Grep][/GetChars]>> For other text values:> [GetChars start=3D1&end=3D100][Grep search=3D[^> ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars]>> Marc>> William DeVaul wrote:>>> I have no idea about a server level fix. This goes to never trusting> user input. I thought it should always be surrounded by [raw] and> [url] to prevent this.>> What do others do?>> Bill>> On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote:>>> What are people doing for the following type of attacks?>> http://www.example.com/shoppingcart.tpl?cart=3D"=">> I assume you could just do a [removehtml][cart][/removehtml]>> I know you can do something like that at the code level but is there> something that can be done at the server level or does the new version> cicadae have built in protections?>> More info on the attack>>>> http://www.example.com/?var=3D> This will exploit the reflected cross site scripting vulnerability shown> before, executing the javascript code stored on the attacker's web server= as> if it was originating from the victim web site, www.example.com.> A complete test will include instantiating a variable with several attack> vectors (Check Fuzz vectors appendix and Encoded injection appendix).> Finally, analyzing answers can get complex. A simple way to do this is to> use code that pops up a dialog, as in our example. This typically indicat=es> that an attacker could execute arbitrary JavaScript of his choice in the> visitors' browsers.>>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> .>>>>>
Associated Messages, from the most recent to the oldest:
I'm guessing that is to take out the long cart number from the URL.You could redirect to [thisurl] if you wanted.BillOn Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote:> Hi Matthew,> Any specific reason you redirect to the index page?> -Jeff> On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:>> This seems to work for me.> It seems to stand up to the attacks from McAfee Secure>> [formvariables]> [showif [url][name][/url]^script>][redirect /index.html][/showif]> [showif [url][name][/url]^iframe][redirect /index.html][/showif]> [text][url][name][/url]=3D[input][value][/input][/text]> [/formvariables]> [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif=]>> Matthew A Perosi JewelerWebsites.com> ------------------------------by Psi Prime-------> Senior Web Developer 323 Union Blvd.> Totowa, NJ 07512> Pre-Sales: 888.872.0274> Service: 973.413.8213> Training: 973.413.8214> Fax: 973.413.8217>> http://www.jewelerwebsites.com> http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc> http://www.psiprime.com>> Marc Thompson wrote:>> You are correct Willian NEVER trust user input.> What I always do is simply remove any characters I don't recognize using> grep. All user input is "cleaned" before taking any action on it> whatsoever.>> For [cart] values:> [GetChars start=3D1&end=3D20][Grep> search=3D[^0-9]&replace=3D][value][/Grep][/GetChars]>> For other text values:> [GetChars start=3D1&end=3D100][Grep search=3D[^> ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars]>> Marc>> William DeVaul wrote:>>> I have no idea about a server level fix. This goes to never trusting> user input. I thought it should always be surrounded by [raw] and> [url] to prevent this.>> What do others do?>> Bill>> On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote:>>> What are people doing for the following type of attacks?>> http://www.example.com/shoppingcart.tpl?cart=3D"=">> I assume you could just do a [removehtml][cart][/removehtml]>> I know you can do something like that at the code level but is there> something that can be done at the server level or does the new version> cicadae have built in protections?>> More info on the attack>>>> http://www.example.com/?var=3D> This will exploit the reflected cross site scripting vulnerability shown> before, executing the javascript code stored on the attacker's web server= as> if it was originating from the victim web site, www.example.com.> A complete test will include instantiating a variable with several attack> vectors (Check Fuzz vectors appendix and Encoded injection appendix).> Finally, analyzing answers can get complex. A simple way to do this is to> use code that pops up a dialog, as in our example. This typically indicat=es> that an attacker could execute arbitrary JavaScript of his choice in the> visitors' browsers.>>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> .>>>>>
William DeVaul
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Date format problems (1997)
Cancel Subscription (1996)
Re2: frames & carts (1997)
WebCatalog-NT?'s (1996)
Nesting [ListFiles] (1998)
[WebDNA] SMS Gateway (2013)
Authenticate (1997)
pc (1997)
[/application] error? (1997)
[lineitems] (2000)
Menu Syntax on Edit/Add templates (1998)
international time (1997)
RE: [BULK] [WebDNA] Can WebDNA corrupt a db? (2012)
searchable list archive (1997)
Search & Sort Question (1999)
Software Update OSX (2003)
[WebDNA] Debian installation configuration for .html extension to work (2015)
Price setting question (1998)
searching within same page (2000)
You sent this to me by mistake. (1998)