Re: Cross site scripting: a long term fix

[Erik Peterson <axiom () NULL NET>]

Solution: AppShield from www.sanctuminc.com

I came across AppShield a while ago when the company was known as Perfecto,
now Sanctum. I thought wow then, and I have been convinced ever since of
their solution to CSS and just about every other web application
vulnerability out there.

Spending all our time attempting to validate all form input, every script,
cgi, and process or Building complex logic into a protocol that was never
meant to do more than serve pages is a loosing battle. Just like trying to
secure every system in your company, does anyone try to do that today? No,
we install a firewall.

Think of AppShield as a statefull inspection firewall for your web site. It
reads the HTML as it's served to the user in real time and generates a
policy for that session and that page. Only 5 links on that web page? Then
that's all the user can do, can't jump to /cgi-bin/, can't insert perl
scripts in form fields, can't execute a buffer overflow attack, everything
taken care of nice and easy. AppShield can even put a hard limit on the
characters you allow, and the max length you allow as well. Don't want
"<>;%/?|"? block it before it hits the web server. Sure it's not always easy
to install (there is some configuration required with client side scripting
like JavaScript) but the product is overwhelming dynamic and easy to
configure.

These guys have had AppShield out since 1997, and every single web app
attack I've read about could have been stopped by these guys. Oh and did I
mention that AppShield does not require pattern file updates, protection
against the hacks that are known and _unknown_, Think about it!

If I hear about one more web site to get hacked at the application layer I'm
going to be sick...oops too late. Firewalls and IDS systems can't help you
here, you need something that understands the application and can figure out
right from wrong.

Erik Peterson
me () erikpeterson com