Re: [OT] "Hacker Safe"

This WebDNA talk-list message is from

2007


It keeps the original formatting.
numero = 69486
interpreted = N
texte = Clint Davis wrote: > Donovan, > > We use Scan Alert too, and we've had several XSS vulnerabilities discovered. > Basically, you don't want to blindly display incoming variables on your page > - they need to be cleansed. Here's some code we developed to clean things > up: > > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] > [formvariables] > [text]clean_[name]=[grep > search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] > [/formvariables] > > Then use [clean_variable1], [clean_variable2], etc. to display the > information on the page. > > For more on the dangers of XSS, read the "Exploit Scenarios" section of this > page: http://en.wikipedia.org/wiki/XSS !@#$ script kiddies. How do they have that much time? Thanks for the cleansing ideas... This is not a banks website or anything such as that, so encoding the suspect characters will be sufficient in this case. I took a bit of time to get my head around the scope of this type of attack. It seems to me that as long as one uses basic secure coding techniques, ie. no sensitive info in cookies or embeded in the code (namely price change password), no re-displaying of credit card info etc., that it would take some really dedicated and ingenious cracker to glean anything from XSS... however, I guess there are those out there who make it their mission... Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  2. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  3. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  4. Re: [OT] "Hacker Safe" ( Clint Davis 2007)
  5. Re: [OT] "Hacker Safe" ( Matthew A Perosi 2007)
  6. Re: [OT] "Hacker Safe" ( Donovan Brooke 2007)
  7. Re: [OT] "Hacker Safe" ( Stuart Tremain 2007)
  8. [OT] "Hacker Safe" ( Donovan Brooke 2007)
Clint Davis wrote: > Donovan, > > We use Scan Alert too, and we've had several XSS vulnerabilities discovered. > Basically, you don't want to blindly display incoming variables on your page > - they need to be cleansed. Here's some code we developed to clean things > up: > > [!]========== CLEANSE THE VARIABLES TO PREVENT XSS ==========[/!] > [formvariables] > [text]clean_[name]=[grep > search=([ \'"])&replace=\\1][removehtml][value][/removehtml][/grep][/text] > [/formvariables] > > Then use [clean_variable1], [clean_variable2], etc. to display the > information on the page. > > For more on the dangers of XSS, read the "Exploit Scenarios" section of this > page: http://en.wikipedia.org/wiki/XSS !@#$ script kiddies. How do they have that much time? Thanks for the cleansing ideas... This is not a banks website or anything such as that, so encoding the suspect characters will be sufficient in this case. I took a bit of time to get my head around the scope of this type of attack. It seems to me that as long as one uses basic secure coding techniques, ie. no sensitive info in cookies or embeded in the code (namely price change password), no re-displaying of credit card info etc., that it would take some really dedicated and ingenious cracker to glean anything from XSS... however, I guess there are those out there who make it their mission... Donovan -- =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o DONOVAN D. BROOKE EUCA Design Center <- Web Development (specializing in eCommerce),-> <- Desktop Publishing, Print Consulting, Labels -> <- Glass Blowing, and Art Glass -> PH/FAX:> 1 (608) 770-3822 Web:> http://www.egg.bz | http://www.euca.us =o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o=o ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Donovan Brooke

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Need host (1998) WebCat2 - Getting to the browser's username/password data (1997) [thisurl] (2004) Format of Required fields error message (1997) Date problems (1997) Writing [raw] to a file (2000) variables in [addlineitem] (1998) OT: anyone know how to prevent image hijacking with Apache? (2002) [WebDNA] [OT] WebDNA Wiki - need grammar check / suggestions (2009) Why isn't this working (1999) WebCatalog NT beta 18 problem (1997) Storebuilder Problems...Looking for last minute heroic effort. (2004) Spiders (1998) SSL (1998) PCS Frames (1997) Fulfillment emails not emailing after upgrade (2002) Summing fields (1997) Re[2]: 2nd WebCatalog2 Feature Request (1996) Creating folders and deleting files (1997) Execute Applescript (1997)