Vulnerability Development mailing list archives
Re: CROSS SITE-SCRIPTING Protection with PHP
From: Valdis.Kletnieks () vt edu
Date: Mon, 14 Oct 2002 13:36:32 -0400
On Mon, 14 Oct 2002 18:06:51 +0200, "Sverre H. Huseby" said:
* Automatically providing tamper control (eg. message digests) to data that are not supposed to be tampered with.
And you verify that the digest isn't changed *how*? (Hint - how do you keep your attacker from handing you a piece of data along with a digest that matches?
* Automatically checking the length of input where possible.
In general, not doable outside of a strongly typed language - how does the API "know" that the maximum allowed length of a string is 37? Note that this is particularly tricky if (for instance) you're writing in Perl, which doesn't have an inherent maximum length, but you're eventually passing it to an Oracle database that has '37' as the length..
To make everything even more automatic, the system could start with a high level definition of all objects (and possibly all web pages).
Hmm.. and the LDAP schemas, and the Oracle table definitions, and..... It's a lot harder to do than it looks, and usually just having good programming standards will do 95% of what's needed.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Elan Hasson (Oct 15)
- RE: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 16)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)