Re: [WebDNA] PCI Vulnerability testing

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102408
interpreted = N
texte = I'm guessing that is to take out the long cart number from the URL. You could redirect to [thisurl] if you wanted. Bill On Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote: > Hi Matthew, > Any specific reason you redirect to the index page? > -Jeff > On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote: > > This seems to work for me. > It seems to stand up to the attacks from McAfee Secure > > [formvariables] > [showif [url][name][/url]^script>][redirect /index.html][/showif] > [showif [url][name][/url]^iframe][redirect /index.html][/showif] > [text][url][name][/url]=3D[input][value][/input][/text] > [/formvariables] > [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif= ] > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > Marc Thompson wrote: > > You are correct Willian NEVER trust user input. > What I always do is simply remove any characters I don't recognize using > grep. All user input is "cleaned" before taking any action on it > whatsoever. > > For [cart] values: > [GetChars start=3D1&end=3D20][Grep > search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] > > For other text values: > [GetChars start=3D1&end=3D100][Grep search=3D[^ > ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars] > > Marc > > William DeVaul wrote: > > > I have no idea about a server level fix. This goes to never trusting > user input. I thought it should always be surrounded by [raw] and > [url] to prevent this. > > What do others do? > > Bill > > On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > > > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart=3D"= " > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > > > > http://www.example.com/?var=3D"%20SRC=3D"http://www.attac= ker.com/xss.js"> > This will exploit the reflected cross site scripting vulnerability shown > before, executing the javascript code stored on the attacker's web server= as > if it was originating from the victim web site, www.example.com. > A complete test will include instantiating a variable with several attack > vectors (Check Fuzz vectors appendix and Encoded injection appendix). > Finally, analyzing answers can get complex. A simple way to do this is to > use code that pops up a dialog, as in our example. This typically indicat= es > that an attacker could execute arbitrary JavaScript of his choice in the > visitors' browsers. > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > . > > > > > Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  2. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  3. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  4. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  5. Re: [WebDNA] PCI Vulnerability testing (Jeffrey Jones 2009)
  6. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  7. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  8. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  9. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  10. Re: [WebDNA] PCI Vulnerability testing ("Psi Prime, Matthew A Perosi " 2009)
  11. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  12. Re: [WebDNA] PCI Vulnerability testing (Govinda 2009)
  13. Re: [WebDNA] PCI Vulnerability testing (Marc Thompson 2009)
  14. Re: [WebDNA] PCI Vulnerability testing (William DeVaul 2009)
  15. [WebDNA] PCI Vulnerability testing (Bob Minor 2009)
I'm guessing that is to take out the long cart number from the URL. You could redirect to [thisurl] if you wanted. Bill On Mon, Apr 13, 2009 at 4:34 PM, Jeffrey Jones wrote: > Hi Matthew, > Any specific reason you redirect to the index page? > -Jeff > On Apr 13, 2009, at 12:35 PM, Psi Prime, Matthew A Perosi wrote: > > This seems to work for me. > It seems to stand up to the attacks from McAfee Secure > > [formvariables] > [showif [url][name][/url]^script>][redirect /index.html][/showif] > [showif [url][name][/url]^iframe][redirect /index.html][/showif] > [text][url][name][/url]=3D[input][value][/input][/text] > [/formvariables] > [showif [countchars][cart][/countchars]>18][redirect /index.html][/showif= ] > > Matthew A Perosi JewelerWebsites.com > ------------------------------by Psi Prime------- > Senior Web Developer 323 Union Blvd. > Totowa, NJ 07512 > Pre-Sales: 888.872.0274 > Service: 973.413.8213 > Training: 973.413.8214 > Fax: 973.413.8217 > > http://www.jewelerwebsites.com > http://en.wikipedia.org/wiki/Psi_Prime%2C_Inc > http://www.psiprime.com > > Marc Thompson wrote: > > You are correct Willian NEVER trust user input. > What I always do is simply remove any characters I don't recognize using > grep. All user input is "cleaned" before taking any action on it > whatsoever. > > For [cart] values: > [GetChars start=3D1&end=3D20][Grep > search=3D[^0-9]&replace=3D][value][/Grep][/GetChars] > > For other text values: > [GetChars start=3D1&end=3D100][Grep search=3D[^ > ,-.%@_A-Za-z0-9=DC=FC=C4=E4=D6=F6]&replace=3D][value][/Grep][/GetChars] > > Marc > > William DeVaul wrote: > > > I have no idea about a server level fix. This goes to never trusting > user input. I thought it should always be surrounded by [raw] and > [url] to prevent this. > > What do others do? > > Bill > > On Mon, Apr 13, 2009 at 2:08 PM, Bob Minor wrote: > > > What are people doing for the following type of attacks? > > http://www.example.com/shoppingcart.tpl?cart=3D"= " > > I assume you could just do a [removehtml][cart][/removehtml] > > I know you can do something like that at the code level but is there > something that can be done at the server level or does the new version > cicadae have built in protections? > > More info on the attack > > > > http://www.example.com/?var=3D"%20SRC=3D"http://www.attac= ker.com/xss.js"> > This will exploit the reflected cross site scripting vulnerability shown > before, executing the javascript code stored on the attacker's web server= as > if it was originating from the victim web site, www.example.com. > A complete test will include instantiating a variable with several attack > vectors (Check Fuzz vectors appendix and Encoded injection appendix). > Finally, analyzing answers can get complex. A simple way to do this is to > use code that pops up a dialog, as in our example. This typically indicat= es > that an attacker could execute arbitrary JavaScript of his choice in the > visitors' browsers. > > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > . > > > > > William DeVaul

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

splitting numbers in webDNA? (1997) WebCat2b13 Command Reference Doc error (1997) SetHeader not Working (2006) Re:Can someone remove this guy with the 186k emails!? (Thanksfor the email!) (1998) Error.html (1997) tcpsend (2001) Separate SSL Server (1997) WC Host Needed (2000) [WebDNA] sudo and shell (2010) [WebDNA] WebDNA 8.2 on Debian 8 (2016) [WebDNA] WebDNA future (2010) serial number dishing (1997) Recording size of uploaded file? (2001) Summary search -- speed (1997) Database Erroe (2000) Formatting date to number - more (2000) Umm...about those log files? (Off Topic) (1997) Date comparison has serious bug ... (1998) change curly quotes (2008) Major bug report on rootbeer (1997)