Here's what I do: 1. Since there is in inherent difference between GET and POST (idempotency), I explicitly use <@SEARCHARG> or <@POSTARG>.
2. <@SEARCHARG> used within the taf for IF/THEN/ELSE actions is implicitly ok, because only a <@SEARCHARG> that matches the logic is allowed. 3. Some other data is passed as a GET, for example _uid1, or a _sortby argument. These are EXPLICITLY validated, converting them into request scope variables, making sure they exist and have permitted values. That's because these can be passed through to the database, and you need to avoid SQL injection. 4. <@POSTARGS> are automatically converted to variables, validated against the column type and length, and optionally further validated, using <@ISEMAIL>, <@ISNUM>, <@ISPHONE>, etc. Bill ---------- Original Message ----------- From: "Fogelson, Steve" <[EMAIL PROTECTED]> To: [email protected] Sent: Fri, 27 Apr 2007 13:45:13 -0500 Subject: RE: Witango-Talk: Cross Site Scripting Vulnerability > Hi, > > After doing additional research it appears I need to check all incoming > arguments whether hidden or contained in the url. I thought I would > do the following > > 1) Find all the arguments with <@ASSIGN request$mySEARCHargs > VALUE="<@SEARCHARGNAMES>"> > > 2) Change the args to request scoped vars > > 3) Sanitize them by removing these characters & ' " > < ( ) [ ] ; : > / { } ! -- = _ > > I was also thinking about pre-pending argument names for forms with a > character to define that this arg is a number, alpha/numeric, telephone > number, etc. and then validate the field accordingly as well. > > All of this would be done server side in my housekeeping tcf. > > I would appreciate if anyone could tell me if I am on the right path > and post any suggestions as well. > > Thanks > > Steve Fogelson > > -----Original Message----- > From: Fogelson, Steve [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 26, 2007 9:48 PM > To: [email protected] > Subject: Witango-Talk: Cross Site Scripting Vunerability > > Hi, > > I just signed up with HackerSafe to scan one of my sites. Well I > have Cross Site Scripting Vunerability on some of my pages. IE: > Login, adding a new customer, adding billing and shipping info, etc. > Any page that has a form on it. > > I have researched the Witango forum and didn't find anything, but I might > have used the incorrect search criteria. It appears that the > solutions are the following: 1) Don't allow any html tags 2) Don't > allow any quotes 3) Don't allow any parenthesis So it looks like I > need to filter each field (argument) for the above and remove it. > > I would appreciate any info, filters, etc that anyone could provide. > > Thanks in advance. > > Steve Fogelson > Internet Commerce Solutions > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf ------- End of Original Message ------- ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
