Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102402
interpreted = N
texte = Yes, of course.. I looked so quickly at it I didn't pay attention to the [url] and [input] contexts. Does anyone think there is any need for this level of cleaning if the data has already been cleaned with [removehtml]? I.e. without "<" and ">" can any serious harm be done? -G On Apr 13, 2009, at 2:01 PM, Psi Prime, Matthew A Perosi wrote: > [text][url][name][/url]=[input][value][/input][/text] > ^^^ > This line is used to totally clean the input. > > WebDNA manages variables in different levels. Whatever level you > are in right now will use the most recently declared set of > variables. A level can be viewed as any looping construct, like > [loop] or [founditems], etc... > > So here's how that line of code works... > [formvariables] will give you all the variables incoming to the page. > > You can then create another set of identical variables with the same > name using [url][name][/url]. > This new set of variables will become the actual variables that are > used on the page, instead of the [formvariables]. > > When you [url] all of the names you effectively kill all attacks > because all the bad characters are converted to url'd values. > > The re-declaration of all the variables will not hurt your variables > in any way since normal variable names don't have strange > characters... so they pass right through unharmed. > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > > > Govinda wrote: >> >> On Apr 13, 2009, at 1:35 PM, Psi Prime, Matthew A Perosi wrote: >> >>> This seems to work for me. >>> It seems to stand up to the attacks from McAfee Secure >>> >>> [formvariables] >>> [showif [url][name][/url]^script>][redirect /index.html][/showif] >>> [showif [url][name][/url]^iframe][redirect /index.html][/showif] >> >>> >>> [text][url][name][/url]=[input][value][/input][/text] >> >> what is this line ^^^ for in this context? >> >>> >>> [/formvariables] >>> [showif [countchars][cart][/countchars]>18][redirect /index.html][/ >>> showif] >>> >>> > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
Yes, of course.. I looked so quickly at it I didn't pay attention to the [url] and [input] contexts. Does anyone think there is any need for this level of cleaning if the data has already been cleaned with [removehtml]? I.e. without "<" and ">" can any serious harm be done? -G On Apr 13, 2009, at 2:01 PM, Psi Prime, Matthew A Perosi wrote: > [text][url][name][/url]=[input][value][/input][/text] > ^^^ > This line is used to totally clean the input. > > WebDNA manages variables in different levels. Whatever level you > are in right now will use the most recently declared set of > variables. A level can be viewed as any looping construct, like > [loop] or [founditems], etc... > > So here's how that line of code works... > [formvariables] will give you all the variables incoming to the page. > > You can then create another set of identical variables with the same > name using [url][name][/url]. > This new set of variables will become the actual variables that are > used on the page, instead of the [formvariables]. > > When you [url] all of the names you effectively kill all attacks > because all the bad characters are converted to url'd values. > > The re-declaration of all the variables will not hurt your variables > in any way since normal variable names don't have strange > characters... so they pass right through unharmed. > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > > > Govinda wrote: >> >> On Apr 13, 2009, at 1:35 PM, Psi Prime, Matthew A Perosi wrote: >> >>> This seems to work for me. >>> It seems to stand up to the attacks from McAfee Secure >>> >>> [formvariables] >>> [showif [url][name][/url]^script>][redirect /index.html][/showif] >>> [showif [url][name][/url]^iframe][redirect /index.html][/showif] >> >>> >>> [text][url][name][/url]=[input][value][/input][/text] >> >> what is this line ^^^ for in this context? >> >>> >>> [/formvariables] >>> [showif [countchars][cart][/countchars]>18][redirect /index.html][/ >>> showif] >>> >>> > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Govinda

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

[WebDNA] iPhone mobile smartphone wireless Palm (2009) Requiring that certain fields be completed (1997) Re:Emailer and encryption (1997) Limit on nested [ShowIf]'s? (1997) HTML editing and webcatalog (2000) What am I missing (1997) Authenticating users without dialog box (1997) UnacceptedCard in 4.0 (2000) Install webcat on intel/linux box. (2000) counters from other site? (1998) A question on sub-categories (1997) Image upload (2000) Aaron kant add (or whatever it was) (2000) Upgrade to 4.0 (2001) Here we go again... (2006) No comment (1997) PIXO support (1997) upgrading (1997) Thanks Grant (1997) Referrer (2000)