On 27-10-2010 at 20:13, Rick Grashel wrote: > I would recommend reading OWASP.org regarding this stuff. Their best > practices on XSS as well as SQL injection are very good. > > http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet > > -- Rick
A very good point. One thing I'm missing in this thread though is that, AFAIK, cross site scripting attacks can also take the form of fully correct, sane user input! The important part here is that the user has not performed the action, but a script does it for them. As always, it's a matter of balancing risk and damage. For administrative applications it's usually enough that the data can be altered later. This then undoes the attack. For financial transactions, like internet banking and e-commerce, each transaction is usually authenticated separately. Combined with feedback on the actual transaction, this mitigates the risk of scripts spending your money quite well (it makes any attack visible). Oscar -- ,-_ Oscar Westra van Holthe - Kind http://oscar.westravanholthe.nl/ /() ) (__ ( Simplicity is prerequisite for reliability. =/ () -- Edsger Dijkstra, EWD498
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
