Bugtraq mailing list archives
Re: Cross site scripting: a long term fix
From: Erik Peterson <axiom () NULL NET>
Date: Mon, 9 Oct 2000 16:40:31 -0400
Solution: AppShield from www.sanctuminc.com I came across AppShield a while ago when the company was known as Perfecto, now Sanctum. I thought wow then, and I have been convinced ever since of their solution to CSS and just about every other web application vulnerability out there. Spending all our time attempting to validate all form input, every script, cgi, and process or Building complex logic into a protocol that was never meant to do more than serve pages is a loosing battle. Just like trying to secure every system in your company, does anyone try to do that today? No, we install a firewall. Think of AppShield as a statefull inspection firewall for your web site. It reads the HTML as it's served to the user in real time and generates a policy for that session and that page. Only 5 links on that web page? Then that's all the user can do, can't jump to /cgi-bin/, can't insert perl scripts in form fields, can't execute a buffer overflow attack, everything taken care of nice and easy. AppShield can even put a hard limit on the characters you allow, and the max length you allow as well. Don't want "<>;%/?|"? block it before it hits the web server. Sure it's not always easy to install (there is some configuration required with client side scripting like JavaScript) but the product is overwhelming dynamic and easy to configure. These guys have had AppShield out since 1997, and every single web app attack I've read about could have been stopped by these guys. Oh and did I mention that AppShield does not require pattern file updates, protection against the hacks that are known and _unknown_, Think about it! If I hear about one more web site to get hacked at the application layer I'm going to be sick...oops too late. Firewalls and IDS systems can't help you here, you need something that understands the application and can figure out right from wrong. Erik Peterson me () erikpeterson com
Current thread:
- Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
- Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
- Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)