Hi,
After doing additional research it appears I need to check all incoming
arguments whether hidden or contained in the url. I thought I would do the
following
1) Find all the arguments with <@ASSIGN request$mySEARCHargs
VALUE="<@SEARCHARGNAMES>">
2) Change the args to request scoped vars
3) Sanitize them by removing these characters & ' " > < ( ) [ ] ; : / { } !
-- = _
I was also thinking about pre-pending argument names for forms with a
character to define that this arg is a number, alpha/numeric, telephone
number, etc. and then validate the field accordingly as well.
All of this would be done server side in my housekeeping tcf.
I would appreciate if anyone could tell me if I am on the right path and
post any suggestions as well.
Thanks
Steve Fogelson
-----Original Message-----
From: Fogelson, Steve [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 9:48 PM
To: [email protected]
Subject: Witango-Talk: Cross Site Scripting Vunerability
Hi,
I just signed up with HackerSafe to scan one of my sites. Well I have Cross
Site Scripting Vunerability on some of my pages. IE: Login, adding a new
customer, adding billing and shipping info, etc. Any page that has a form on
it.
I have researched the Witango forum and didn't find anything, but I might
have used the incorrect search criteria. It appears that the solutions are
the following:
1) Don't allow any html tags
2) Don't allow any quotes
3) Don't allow any parenthesis
So it looks like I need to filter each field (argument) for the above and
remove it.
I would appreciate any info, filters, etc that anyone could provide.
Thanks in advance.
Steve Fogelson
Internet Commerce Solutions
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
