WebApp Sec mailing list archives

Re: XSS, SQL injection etc - permutations of input strings

From: "James Barkley" <James.Barkley () noaa gov>
Date: Thu, 30 Sep 2004 06:26:18 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Depends on your setup and what you care about.  We review our weblogs
nightly and it is much much easier to see attempted hacks, including
the exact strings in sequential order.  Some sites probably see so
many sql injections or xss a day  they may not care.  However, if you
are talking about an intranet site then it is a big deal if you see
"https://intranet/login.php?user_id=1 AND select * from user" in your
weblog because it means you've got a personnel problem.  Perhaps
scrutinizing your weblogs this much seems paranoid, but it has helped
me on more than one occassion.

As far as keeping name value pairs out of the browser history, well,
nothing replaces common sense.  Don't use get requests to pass cc
numbers, passwords, session hashes, etc.

Shields, Larry wrote:

| Yet, if you don't require it, it doesn't hurt.  Keep the name/value
|pairs out of the browser history & web logs, if there's no real need to
|have them there (and if it's not https, out of the proxy logs & referer
|headers). Get rid of yet more possible sources of information
|disclosure.
|
|-Larry
|
|-----Original Message-----
|From: James Barkley [mailto:James.Barkley () noaa gov]
|Sent: Tuesday, September 28, 2004 1:06 AM
|To: focus () karsites net; webappsec () securityfocus com
|Subject: Re: XSS, SQL injection etc - permutations of input strings
|
|*** PGP SIGNATURE VERIFICATION ***
|*** Status:   Unknown Signature
|*** Signer:   Unknown Key (0x6725FF31)
|*** Signed:   9/28/2004 1:05:42 AM
|*** Verified: 9/29/2004 2:30:41 PM
|*** BEGIN PGP VERIFIED MESSAGE ***
|
|
|Turning off GET requests may not buy you as much as you think.  Any
|dedicated hacker who is going to be attempting xss or sql injection,
|etc. probably knows how to save a page and tamper the post form vars.
|Also, if you do regular log checks variable tampering through GET
|requests is typically much easier to spot as the entire URL is logged
|and you can see hacking attempts as part of the URL request.
|
|*snip*


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBW99HBtvwQGcl/zERAs85AJ0aIUU0Vx6RvLR/C7KGFV1oNJjtfQCeLHLW
OsAo3onm7Uvkzn4B0CQA+qY=
=8vKd
-----END PGP SIGNATURE-----

Current thread:

Re: Hacking/security in main-stream media, (continued)
- - - Re: Hacking/security in main-stream media Andrew Sledge (Sep 30)
    - Re: Hacking/security in main-stream media Jason Merriman (Sep 30)
    - Re: Hacking/security in main-stream media Damon Leung (Sep 30)
    - Re: Hacking/security in main-stream media Vlado Blaskov (Sep 30)
    - RE: XSS, SQL injection etc - permutations of input strings RSnake (Sep 28)
- RE: XSS, SQL injection etc - permutations of input strings Conacher, Chris (Sep 23)
  - RE: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 27)
- RE: XSS, SQL injection etc - permutations of input strings focus (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Michael Silk (Sep 29)
- RE: XSS, SQL injection etc - permutations of input strings Shields, Larry (Sep 30)
  - Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 30)