WebApp Sec mailing list archives
forbidden functions on client-side scripts
From: "Shimon Silberschlag" <shimons () bll co il>
Date: Wed, 11 Dec 2002 19:06:18 +0200
Some products that are used as content filters for the HTTP traffic used by internal users, have the ability to block certain "dangerous" functions used on client side scripts from getting to the internal client. Attached is the default function list used by such a product. Since I'm not a programmer, can someone tell me if this list is complete/overkill/lacking and what other functions that are dangerous/benign should I consider adding/dropping from the list. The list is given for VBscript and Javascript separately. [VB SCRIPT] Forbidden words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File Exist, GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open textfile,CreateTextRange, OpenAsTextStream,DeleteFile,CopyFile,RegWrite [JAVA SCRIPT] Forbidden words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite TIA, Shimon Silberschlag +972-3-9352785 +972-51-207130
Current thread:
- forbidden functions on client-side scripts Shimon Silberschlag (Dec 11)
- Re: forbidden functions on client-side scripts Alonso Robles (Dec 12)
- <Possible follow-ups>
- RE: forbidden functions on client-side scripts Uzi Refaeli (Dec 11)
- RE: forbidden functions on client-side scripts Thor Larholm (Dec 13)