WebApp Sec mailing list archives
RE: #include file tag in HTML: possible issues?
From: "Giuseppe DELL'ERBA" <giuseppe.dellerba () st com>
Date: Fri, 20 Jan 2006 17:05:31 +0100
...any additional feedbacks about the request below? Thanks Peppe -----Original Message----- From: giuseppe dellerba [mailto:giuseppe.dellerba () st com] Sent: Monday, January 16, 2006 11:43 AM To: 'Aman Raheja'; 'pg_vlad () hotmail com'; 'webappsec () securityfocus com' Subject: RE: #include file tag in HTML: possible issues? More details for your feedbacks: the application creates HTML pages, on URL basis, using templates. The content aggregation logic is based on JSP. The application will retrieve these templates and, using TAGLIB technology, will substitute the TAGLIB with the dynamic content and metadata. The idea is to add the #include file tag in the new templates. The contents and the templates come from company internal resources. Thanks Peppe -----Original Message----- From: Aman Raheja [mailto:araheja () techquotes com] Sent: Sunday, January 15, 2006 5:12 PM To: Giuseppe DELL'ERBA Cc: webappsec () securityfocus com Subject: Re: #include file tag in HTML: possible issues? What type of code are we talking about ? Not knowing what type of code is the application or stored in the external file that gets inserted, it would be hard for anyone to think of the threat scenarios, let alone the suggestions for remediation. If the external file's contents are checked against different types of attacks that the particular code could possibly be vulnerable to, it should be fine. Moreover, who created these external files is a valid concern, since you have not mentioned. If the external file's content is controlled that could be another layer of security towards the final application. Regards Aman Raheja Giuseppe DELL'ERBA wrote:
Hi all, I have to evaluate from security point of view an application that is going to add in its template pages the #include file tag. This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file. Do you think this feature can introduce possible security threats? And, eventually, the remediation needed? Thanks Peppe ----------------------------------------------------------------------- -- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh ----------------------------------------------------------------------- ---
------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 14)
- Re: #include file tag in HTML: possible issues? Aman Raheja (Jan 15)
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 17)
- Re: #include file tag in HTML: possible issues? Jon Hart (Jan 17)
- <Possible follow-ups>
- RE: #include file tag in HTML: possible issues? Giuseppe DELL'ERBA (Jan 20)
- Re: #include file tag in HTML: possible issues? Aman Raheja (Jan 15)