Steve, in my opinion you would be better served by checking the ENCODING parameter for metatags that contain variable content that are displayed in a results page.
Normal encoding will escape "<script" to ">script" which is unlikely to be vulnerable to cross-site scripting attacks. HTML tags will be escaped in a similar way, so event handlers are not likely to be called either. ENCODING=HTML and ENCODING=MULTILINE will pass a "<script" through unaltered, so you should check that these values cannot be set by unauthorized users. ENCODING=METAHTML poses a similar risk, and metatags will be expanded as well, so a Witango-savvy hacker could exploit this for a server side attack. This is probably unlikely - we are all nice people. -----Original Message----- From: Fogelson, Steve [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 2:45 PM To: [email protected] Subject: RE: Witango-Talk: Cross Site Scripting Vulnerability Hi, After doing additional research it appears I need to check all incoming arguments whether hidden or contained in the url. I thought I would do the following 1) Find all the arguments with <@ASSIGN request$mySEARCHargs VALUE="<@SEARCHARGNAMES>"> 2) Change the args to request scoped vars 3) Sanitize them by removing these characters & ' " > < ( ) [ ] ; : / { } ! -- = _ I was also thinking about pre-pending argument names for forms with a character to define that this arg is a number, alpha/numeric, telephone number, etc. and then validate the field accordingly as well. All of this would be done server side in my housekeeping tcf. I would appreciate if anyone could tell me if I am on the right path and post any suggestions as well. Thanks Steve Fogelson -----Original Message----- From: Fogelson, Steve [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 9:48 PM To: [email protected] Subject: Witango-Talk: Cross Site Scripting Vunerability Hi, I just signed up with HackerSafe to scan one of my sites. Well I have Cross Site Scripting Vunerability on some of my pages. IE: Login, adding a new customer, adding billing and shipping info, etc. Any page that has a form on it. I have researched the Witango forum and didn't find anything, but I might have used the incorrect search criteria. It appears that the solutions are the following: 1) Don't allow any html tags 2) Don't allow any quotes 3) Don't allow any parenthesis So it looks like I need to filter each field (argument) for the above and remove it. I would appreciate any info, filters, etc that anyone could provide. Thanks in advance. Steve Fogelson Internet Commerce Solutions ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
