WebApp Sec mailing list archives
RE: XSS, SQL injection etc - permutations of input strings
From: "Shields, Larry" <Larry.Shields () FMR COM>
Date: Wed, 29 Sep 2004 14:33:43 -0400
Yet, if you don't require it, it doesn't hurt. Keep the name/value pairs out of the browser history & web logs, if there's no real need to have them there (and if it's not https, out of the proxy logs & referer headers). Get rid of yet more possible sources of information disclosure. -Larry -----Original Message----- From: James Barkley [mailto:James.Barkley () noaa gov] Sent: Tuesday, September 28, 2004 1:06 AM To: focus () karsites net; webappsec () securityfocus com Subject: Re: XSS, SQL injection etc - permutations of input strings *** PGP SIGNATURE VERIFICATION *** *** Status: Unknown Signature *** Signer: Unknown Key (0x6725FF31) *** Signed: 9/28/2004 1:05:42 AM *** Verified: 9/29/2004 2:30:41 PM *** BEGIN PGP VERIFIED MESSAGE *** Turning off GET requests may not buy you as much as you think. Any dedicated hacker who is going to be attempting xss or sql injection, etc. probably knows how to save a page and tamper the post form vars. Also, if you do regular log checks variable tampering through GET requests is typically much easier to spot as the entire URL is logged and you can see hacking attempts as part of the URL request. *snip*
Current thread:
- List of Movies with security emphasis (in reply to: Hacking/security in main-stream media), (continued)
- List of Movies with security emphasis (in reply to: Hacking/security in main-stream media) saphyr (Sep 30)
- Re: Hacking/security in main-stream media Andrew Sledge (Sep 30)
- Re: Hacking/security in main-stream media Jason Merriman (Sep 30)
- Re: Hacking/security in main-stream media Damon Leung (Sep 30)
- Re: Hacking/security in main-stream media Vlado Blaskov (Sep 30)
- RE: XSS, SQL injection etc - permutations of input strings RSnake (Sep 28)
- RE: XSS, SQL injection etc - permutations of input strings Conacher, Chris (Sep 23)
- RE: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 27)
- RE: XSS, SQL injection etc - permutations of input strings focus (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Michael Silk (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Shields, Larry (Sep 30)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 30)