Vulnerability Development mailing list archives

Re: CROSS SITE-SCRIPTING Protection with PHP

From: Marvin Simkin <Marvin.Simkin () asu edu>
Date: Fri, 11 Oct 2002 14:07:24 -0700

Valdis.Kletnieks () vt edu wrote:

Remember - don't filter known bad chars.  Filter *everything* *but* known good.


This is a fundamental rule of security... why do thousands of
programmers still not know this... </rant>

Filters can *help*, but there is *no* magic bullet for 100% CSS
protection, because CSS is so generic that it can arise anywhere a web
programmer makes a mistake. Consider this pseudocode:


PasswordSubmitTarget = 
  "https://www."; + Server + ".com/login/checkpw.cgi"

Suppose the variable Server comes from an untrusted source somehow. An
attacker might find some way to manipulate the variable so that
passwords get submitted to the attacker's server. Yet the untrusted
variable could contain nothing but [a-z]!

The smartest programmer in the world cannot outsmart the stupidest
mistakes.

Current thread:

CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
  - Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
    - RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
    - Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
    - Hashes,File protection,etc Dave Aitel (Oct 14)
    - Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
    - Re: Hashes,File protection,etc Dave Aitel (Oct 14)
    - /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)

(Thread continues...)