Re: [WebDNA] Security Problem

This WebDNA talk-list message is from

2015


It keeps the original formatting.
numero = 112351
interpreted = N
texte = --001a11c33d322b0c6405188cbd89 Content-Type: text/plain; charset=UTF-8 Stuart, Hi - your emails refer to two different things. The first email gave an example of Cross-Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) this is prevented by ensuring that all user generated content / input that may be displayed on a site is validated and encoded. The second email referred to a Cross Site Forgery Request (CSRF): https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) this is prevented by ensuring that all actions on a site undertaken by a logged in user include a random token that is verified before processing the action. Other methods include always checking for a valid referrer header when processing actions, or asking a user to re-eneter their password for particularly secure actions (changing email or password for example). https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet - Tom --001a11c33d322b0c6405188cbd89 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,

Hi - your emails refer to two d= ifferent things.

The first email gave an example o= f Cross-Site Scripting (XSS):

=C2=A0 =C2=A0=C2=A0<= a href=3D"https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">https= ://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

this is prevented by ensuring that all user generated content / inp= ut that may be displayed on a site is validated and encoded.

=
The second email referred to a Cross Site Forgery Request (CSRF)= :

=C2=A0 =C2=A0=C2=A0https://www.owasp.org/inde= x.php/Cross-Site_Request_Forgery_(CSRF)

this i= s prevented by ensuring that all actions on a site undertaken by a logged i= n user include a random token that is verified before processing the action= . Other methods include always checking for a valid referrer header when pr= ocessing actions, or asking a user to re-eneter their password for particul= arly secure actions (changing email or password for example).
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0=C2=A0https://www.owasp.org/index.php/= CSRF_Prevention_Cheat_Sheet

- Tom



--001a11c33d322b0c6405188cbd89-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Security Problem (Tom Duke 2015)
  2. Re: [WebDNA] Security Problem (Stuart Tremain 2015)
  3. [WebDNA] Security Problem (Stuart Tremain 2015)
--001a11c33d322b0c6405188cbd89 Content-Type: text/plain; charset=UTF-8 Stuart, Hi - your emails refer to two different things. The first email gave an example of Cross-Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) this is prevented by ensuring that all user generated content / input that may be displayed on a site is validated and encoded. The second email referred to a Cross Site Forgery Request (CSRF): https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) this is prevented by ensuring that all actions on a site undertaken by a logged in user include a random token that is verified before processing the action. Other methods include always checking for a valid referrer header when processing actions, or asking a user to re-eneter their password for particularly secure actions (changing email or password for example). https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet - Tom --001a11c33d322b0c6405188cbd89 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,

Hi - your emails refer to two d= ifferent things.

The first email gave an example o= f Cross-Site Scripting (XSS):

=C2=A0 =C2=A0=C2=A0<= a href=3D"https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">https= ://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

this is prevented by ensuring that all user generated content / inp= ut that may be displayed on a site is validated and encoded.

=
The second email referred to a Cross Site Forgery Request (CSRF)= :

=C2=A0 =C2=A0=C2=A0https://www.owasp.org/inde= x.php/Cross-Site_Request_Forgery_(CSRF)

this i= s prevented by ensuring that all actions on a site undertaken by a logged i= n user include a random token that is verified before processing the action= . Other methods include always checking for a valid referrer header when pr= ocessing actions, or asking a user to re-eneter their password for particul= arly secure actions (changing email or password for example).
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0=C2=A0https://www.owasp.org/index.php/= CSRF_Prevention_Cheat_Sheet

- Tom



--001a11c33d322b0c6405188cbd89-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat 3.04-3.07 plug-in dying on server.... (2000) Configuring E-mail (1997) [WebDNA] COMMITDATABASE in linux unix 64bits FastCGI version 8.6 (2020) RE: Answer: WebDelivery downloads alias, not original ? (1997) Help! (2000) WebCat editing, SiteGuard & SiteEdit (1997) Date search - yes or no (1997) [ShowNext] feature in 2.0 (1997) shownext and searches (2002) forming a SKU (1999) select multiple (1997) Almost a there but..bye bye NetCloak (1997) 2.1 pricing? (1998) Best way to handle 404 errors with WebDNA and Web* V (2003) Shared conversion under WebTen (1998) all records returned. (1997) WebCat2b12 - nesting [tags] (1997) ALERT: Please unsubscribe? (2000) Plugin or CGI or both (1997) b12 cannot limit records returned and more. (1997)