Hi Jason
I did exactly what you are describing.
I made a security.tcf.
(1) <@KEEP "<@ARG <@GETPARAM NAME=arg_name>>"
CHARS="<@VAR List_illegalCharacters SCOPE=User>">
I assign this to a variable
(2)Then
<@LENGTH STR="<@VAR ArgHas_iLLegals SCOPE=Instance>">
Should be zero.
IF NOT ZERO polite message and app stops.
If they try again they get kicked off.
(3)Also I can update my list of illegal character by changing the
<@VAR List_illegalCharacters SCOPE=User>
When I test it it works
Janet
-----Original Message-----
From: Fogelson, Steve [mailto:[EMAIL PROTECTED]
Sent: Friday, April 27, 2007 2:45 PM
To: [email protected]
Subject: RE: Witango-Talk: Cross Site Scripting Vulnerability
Hi,
After doing additional research it appears I need to check all incoming
arguments whether hidden or contained in the url. I thought I would do the
following
1) Find all the arguments with <@ASSIGN request$mySEARCHargs
VALUE="<@SEARCHARGNAMES>">
2) Change the args to request scoped vars
3) Sanitize them by removing these characters & ' " > < ( ) [ ] ; : / { } !
-- = _
I was also thinking about pre-pending argument names for forms with a
character to define that this arg is a number, alpha/numeric, telephone
number, etc. and then validate the field accordingly as well.
All of this would be done server side in my housekeeping tcf.
I would appreciate if anyone could tell me if I am on the right path and
post any suggestions as well.
Thanks
Steve Fogelson
-----Original Message-----
From: Fogelson, Steve [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 26, 2007 9:48 PM
To: [email protected]
Subject: Witango-Talk: Cross Site Scripting Vunerability
Hi,
I just signed up with HackerSafe to scan one of my sites. Well I have Cross
Site Scripting Vunerability on some of my pages. IE: Login, adding a new
customer, adding billing and shipping info, etc. Any page that has a form on
it.
I have researched the Witango forum and didn't find anything, but I might
have used the incorrect search criteria. It appears that the solutions are
the following:
1) Don't allow any html tags
2) Don't allow any quotes
3) Don't allow any parenthesis
So it looks like I need to filter each field (argument) for the above and
remove it.
I would appreciate any info, filters, etc that anyone could provide.
Thanks in advance.
Steve Fogelson
Internet Commerce Solutions
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
