Re: [WebDNA] Security Problem

This WebDNA talk-list message is from

2015


It keeps the original formatting.
numero = 112351
interpreted = N
texte = --001a11c33d322b0c6405188cbd89 Content-Type: text/plain; charset=UTF-8 Stuart, Hi - your emails refer to two different things. The first email gave an example of Cross-Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) this is prevented by ensuring that all user generated content / input that may be displayed on a site is validated and encoded. The second email referred to a Cross Site Forgery Request (CSRF): https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) this is prevented by ensuring that all actions on a site undertaken by a logged in user include a random token that is verified before processing the action. Other methods include always checking for a valid referrer header when processing actions, or asking a user to re-eneter their password for particularly secure actions (changing email or password for example). https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet - Tom --001a11c33d322b0c6405188cbd89 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,

Hi - your emails refer to two d= ifferent things.

The first email gave an example o= f Cross-Site Scripting (XSS):

=C2=A0 =C2=A0=C2=A0<= a href=3D"https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">https= ://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

this is prevented by ensuring that all user generated content / inp= ut that may be displayed on a site is validated and encoded.

=
The second email referred to a Cross Site Forgery Request (CSRF)= :

=C2=A0 =C2=A0=C2=A0https://www.owasp.org/inde= x.php/Cross-Site_Request_Forgery_(CSRF)

this i= s prevented by ensuring that all actions on a site undertaken by a logged i= n user include a random token that is verified before processing the action= . Other methods include always checking for a valid referrer header when pr= ocessing actions, or asking a user to re-eneter their password for particul= arly secure actions (changing email or password for example).
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0=C2=A0https://www.owasp.org/index.php/= CSRF_Prevention_Cheat_Sheet

- Tom



--001a11c33d322b0c6405188cbd89-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Security Problem (Tom Duke 2015)
  2. Re: [WebDNA] Security Problem (Stuart Tremain 2015)
  3. [WebDNA] Security Problem (Stuart Tremain 2015)
--001a11c33d322b0c6405188cbd89 Content-Type: text/plain; charset=UTF-8 Stuart, Hi - your emails refer to two different things. The first email gave an example of Cross-Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) this is prevented by ensuring that all user generated content / input that may be displayed on a site is validated and encoded. The second email referred to a Cross Site Forgery Request (CSRF): https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) this is prevented by ensuring that all actions on a site undertaken by a logged in user include a random token that is verified before processing the action. Other methods include always checking for a valid referrer header when processing actions, or asking a user to re-eneter their password for particularly secure actions (changing email or password for example). https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet - Tom --001a11c33d322b0c6405188cbd89 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stuart,

Hi - your emails refer to two d= ifferent things.

The first email gave an example o= f Cross-Site Scripting (XSS):

=C2=A0 =C2=A0=C2=A0<= a href=3D"https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">https= ://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

this is prevented by ensuring that all user generated content / inp= ut that may be displayed on a site is validated and encoded.

=
The second email referred to a Cross Site Forgery Request (CSRF)= :

=C2=A0 =C2=A0=C2=A0https://www.owasp.org/inde= x.php/Cross-Site_Request_Forgery_(CSRF)

this i= s prevented by ensuring that all actions on a site undertaken by a logged i= n user include a random token that is verified before processing the action= . Other methods include always checking for a valid referrer header when pr= ocessing actions, or asking a user to re-eneter their password for particul= arly secure actions (changing email or password for example).
=C2= =A0 =C2=A0=C2=A0
=C2=A0 =C2=A0=C2=A0https://www.owasp.org/index.php/= CSRF_Prevention_Cheat_Sheet

- Tom



--001a11c33d322b0c6405188cbd89-- Tom Duke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Add a field to the error log? (1997) test please ignore (1999) Limit to Field Length in DB (1998) taxTotal (1997) Re:multiple digests, please stop (1997) Field Contents Raw (1999) WebCat2b13MacPlugIn - [showif][search][/showif] (1997) lineitems not showing when moving to a different OS (2006) Semi-OT: Update forms not working remotely (2002) Editing webDNA in a textarea (2007) Shipcost lookup? (1997) More questions about serial number dishing (1997) Date format problems (1997) Using [Include] Context (1999) Carts & cookies (1999) RE: Suggestions for Topics to be covered in an Advanced WebDNACourse... (1998) Prevent multiple appends with Reload Button (1997) WebCatalog vs. Cold Fusion (1998) international time (1997) WC2.0 Memory Requirements (1997)