WebApp Sec mailing list archives
Re: Content monitorting in Application Security
From: Paul Laudanski <zx () castlecops com>
Date: Fri, 7 Jan 2005 19:21:46 -0500 (EST)
On 7 Jan 2005, Alfred Hitchcock wrote:
Hi All, I have a major doubt it would be of great help if anybody can provide solution to this. I have a web page which allows to upload files such as jpeg and html files. Is there any mechanisms which can detect malicious html files. E.g. if a html page has got a malicious java script such as alert('xss') then how can we check these things. One more point to be noted here is that uploading of file can be done by any user.
Aside from the standard response of 'do not allow uploading of HTML files' to prevent possible malicious code execution, another option is to disallow any server side script parsing like PHP and CGI. The second option should limit the code to client side parsing only, which brings us back to the topic of malicious Javascript execution (or other such client side code). One possible programmatic option is to run a regex filter against the file that is uploaded to strip out or hide the javascript code before it is saved to your filesystem. If there is a more interesting solution to this I would love to learn about it. I personally do not allow such files to be uploaded. -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- Content monitorting in Application Security Alfred Hitchcock (Jan 07)
- Re: Content monitorting in Application Security Ivan Ristic (Jan 08)
- Re: Content monitorting in Application Security Paul Laudanski (Jan 08)
- Re: Content monitorting in Application Security Jeremiah Grossman (Jan 08)
- <Possible follow-ups>
- RE: Content monitorting in Application Security Security (Jan 08)
- RE: Content monitorting in Application Security Paul Laudanski (Jan 09)
- RE: Content monitorting in Application Security Ofer Shezaf (Jan 09)
- Re: Content monitorting in Application Security Martin Mačok (Jan 10)
- RE: Content monitorting in Application Security Antoine Martin (Jan 10)
- Re: Content monitorting in Application Security oliver.karow (Jan 10)
- Re: Content monitorting in Application Security Ivan Ristic (Jan 10)
- Re: Content monitorting in Application Security Jeremiah Grossman (Jan 13)
- Re: Content monitorting in Application Security Jeremiah Grossman (Jan 15)
(Thread continues...)