Re: [WebDNA] PCI Vulnerability testing
This WebDNA talk-list message is from 2009
It keeps the original formatting.
numero = 102408
interpreted = N
texte = I'm guessing that is to take out the long cart number from the URL.You could redirect to [thisurl] if you wanted.BillOn Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones
wrote:> Hi Matthew,> Any specific reason you redirect to the index page?> -Jeff> On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:>> This seems to work for me.> It seems to stand up to the attacks from McAfee Secure>> [formvariables]> [showif [url][name][/url]^script>][redirect /index.html][/showif]> [showif [url][name][/url]^iframe][redirect /index.html][/showif]> [text][url][name][/url]=3D[input][value][/input][/text]> [/formvariables]> [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif=]>> Matthew A Perosi JewelerWebsites.com> ------------------------------by Psi Prime-------> Senior Web Developer 323 Union Blvd.> Totowa, NJ 07512> Pre-Sales: 888.872.0274> Service: 973.413.8213> Training: 973.413.8214> Fax: 973.413.8217>> http://www.jewelerwebsites.com> http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc> http://www.psiprime.com>> Marc Thompson wrote:>> You are correct Willian NEVER trust user input.> What I always do is simply remove any characters I don't recognize using> grep. All user input is "cleaned" before taking any action on it> whatsoever.>> For [cart] values:> [GetChars start=3D1&end=3D20][Grep> search=3D[^0-9]&replace=3D][value][/Grep][/GetChars]>> For other text values:> [GetChars start=3D1&end=3D100][Grep search=3D[^> ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars]>> Marc>> William DeVaul wrote:>>> I have no idea about a server level fix. This goes to never trusting> user input. I thought it should always be surrounded by [raw] and> [url] to prevent this.>> What do others do?>> Bill>> On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote:>>> What are people doing for the following type of attacks?>> http://www.example.com/shoppingcart.tpl?cart=3D"=">> I assume you could just do a [removehtml][cart][/removehtml]>> I know you can do something like that at the code level but is there> something that can be done at the server level or does the new version> cicadae have built in protections?>> More info on the attack>>>> http://www.example.com/?var=3D> This will exploit the reflected cross site scripting vulnerability shown> before, executing the javascript code stored on the attacker's web server= as> if it was originating from the victim web site, www.example.com.> A complete test will include instantiating a variable with several attack> vectors (Check Fuzz vectors appendix and Encoded injection appendix).> Finally, analyzing answers can get complex. A simple way to do this is to> use code that pops up a dialog, as in our example. This typically indicat=es> that an attacker could execute arbitrary JavaScript of his choice in the> visitors' browsers.>>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> .>>>>>
Associated Messages, from the most recent to the oldest:
I'm guessing that is to take out the long cart number from the URL.You could redirect to [thisurl] if you wanted.BillOn Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote:> Hi Matthew,> Any specific reason you redirect to the index page?> -Jeff> On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote:>> This seems to work for me.> It seems to stand up to the attacks from McAfee Secure>> [formvariables]> [showif [url][name][/url]^script>][redirect /index.html][/showif]> [showif [url][name][/url]^iframe][redirect /index.html][/showif]> [text][url][name][/url]=3D[input][value][/input][/text]> [/formvariables]> [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif=]>> Matthew A Perosi JewelerWebsites.com> ------------------------------by Psi Prime-------> Senior Web Developer 323 Union Blvd.> Totowa, NJ 07512> Pre-Sales: 888.872.0274> Service: 973.413.8213> Training: 973.413.8214> Fax: 973.413.8217>> http://www.jewelerwebsites.com> http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc> http://www.psiprime.com>> Marc Thompson wrote:>> You are correct Willian NEVER trust user input.> What I always do is simply remove any characters I don't recognize using> grep. All user input is "cleaned" before taking any action on it> whatsoever.>> For [cart] values:> [GetChars start=3D1&end=3D20][Grep> search=3D[^0-9]&replace=3D][value][/Grep][/GetChars]>> For other text values:> [GetChars start=3D1&end=3D100][Grep search=3D[^> ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars]>> Marc>> William DeVaul wrote:>>> I have no idea about a server level fix. This goes to never trusting> user input. I thought it should always be surrounded by [raw] and> [url] to prevent this.>> What do others do?>> Bill>> On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote:>>> What are people doing for the following type of attacks?>> http://www.example.com/shoppingcart.tpl?cart=3D"=">> I assume you could just do a [removehtml][cart][/removehtml]>> I know you can do something like that at the code level but is there> something that can be done at the server level or does the new version> cicadae have built in protections?>> More info on the attack>>>> http://www.example.com/?var=3D> This will exploit the reflected cross site scripting vulnerability shown> before, executing the javascript code stored on the attacker's web server= as> if it was originating from the victim web site, www.example.com.> A complete test will include instantiating a variable with several attack> vectors (Check Fuzz vectors appendix and Encoded injection appendix).> Finally, analyzing answers can get complex. A simple way to do this is to> use code that pops up a dialog, as in our example. This typically indicat=es> that an attacker could execute arbitrary JavaScript of his choice in the> visitors' browsers.>>> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/> .>>>>>
William DeVaul
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
splitting numbers in webDNA? (1997)
WebCat2b13 Command Reference Doc error (1997)
SetHeader not Working (2006)
Re:Can someone remove this guy with the 186k emails!? (Thanksfor the email!) (1998)
Error.html (1997)
tcpsend (2001)
Separate SSL Server (1997)
WC Host Needed (2000)
[WebDNA] sudo and shell (2010)
[WebDNA] WebDNA 8.2 on Debian 8 (2016)
[WebDNA] WebDNA future (2010)
serial number dishing (1997)
Recording size of uploaded file? (2001)
Summary search -- speed (1997)
Database Erroe (2000)
Formatting date to number - more (2000)
Umm...about those log files? (Off Topic) (1997)
Date comparison has serious bug ... (1998)
change curly quotes (2008)
Major bug report on rootbeer (1997)