WebApp Sec mailing list archives

RE: forbidden functions on client-side scripts

From: "Uzi Refaeli" <uzix () dotomi com>
Date: Thu, 12 Dec 2002 09:12:19 +0200

what do you mean by internal clients?
and in which step of the way are these programs do the filtering?

Uzi Refaeli
Dotomi
972-52-564496

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons () bll co il]
Sent: Wednesday, December 11, 2002 7:06 PM
To: webappsec () securityfocus com
Subject: forbidden functions on client-side scripts


Some products that are used as content filters for the HTTP traffic
used by internal users, have the ability to block certain "dangerous"
functions used on client side scripts from getting to the internal
client. Attached is the default function list used by such a product.
Since I'm not a programmer, can someone tell me if this list is
complete/overkill/lacking and what other functions that are
dangerous/benign should I consider adding/dropping from the list. The
list is given for VBscript and Javascript separately.


[VB SCRIPT]
Forbidden
words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File
Exist,
GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open
textfile,CreateTextRange,
OpenAsTextStream,DeleteFile,CopyFile,RegWrite


[JAVA SCRIPT]
Forbidden
words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte
nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite

TIA,

Shimon Silberschlag

+972-3-9352785
+972-51-207130

Current thread:

forbidden functions on client-side scripts Shimon Silberschlag (Dec 11)
- Re: forbidden functions on client-side scripts Alonso Robles (Dec 12)
- <Possible follow-ups>
- RE: forbidden functions on client-side scripts Uzi Refaeli (Dec 11)
- RE: forbidden functions on client-side scripts Thor Larholm (Dec 13)