Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: Marvin Simkin <Marvin.Simkin () asu edu>
Date: Fri, 11 Oct 2002 14:07:24 -0700
Valdis.Kletnieks () vt edu wrote:
Remember - don't filter known bad chars. Filter *everything* *but* known good.
This is a fundamental rule of security... why do thousands of programmers still not know this... </rant> Filters can *help*, but there is *no* magic bullet for 100% CSS protection, because CSS is so generic that it can arise anywhere a web programmer makes a mistake. Consider this pseudocode: PasswordSubmitTarget = "https://www." + Server + ".com/login/checkpw.cgi" Suppose the variable Server comes from an untrusted source somehow. An attacker might find some way to manipulate the variable so that passwords get submitted to the attacker's server. Yet the untrusted variable could contain nothing but [a-z]! The smartest programmer in the world cannot outsmart the stupidest mistakes.
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)