Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CROSS SITE-SCRIPTING Protection with PHP

From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Oct 2002 13:36:32 -0400
On Mon, 14 Oct 2002 18:06:51 +0200, "Sverre H. Huseby" said:


  * Automatically providing tamper control (eg. message digests) to
    data that are not supposed to be tampered with.


And you verify that the digest isn't changed *how*?  (Hint - how do you
keep your attacker from handing you a piece of data along with a digest that
matches?


  * Automatically checking the length of input where possible.


In general, not doable outside of a strongly typed language - how does the
API "know" that the maximum allowed length of a string is 37?  Note that
this is particularly tricky if (for instance) you're writing in Perl, which
doesn't have an inherent maximum length, but you're eventually passing it to
an Oracle database that has '37' as the length..


To make everything even more automatic, the system could start with a
high level definition of all objects (and possibly all web pages).


Hmm.. and the LDAP schemas, and the Oracle table definitions, and.....

It's a lot harder to do than it looks, and usually just having good programming
standards will do 95% of what's needed....
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: