[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] security warning?
- Subject: Re: [cobalt-security] security warning?
- From: cobalt@xxxxxxxxxxxxx
- Date: Mon, 12 Aug 2002 15:54:50 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On 12 Aug 2002 at 7:28, Jeff Lasman wrote:
> I got a security warning today from an unknown sender in Japan...
>
<snip>
> Any ideas of how to protect against it? While I'm studying this now,
> even the .pdf file I found at cert
> (http://www.cert.org/archive/pdf/cross_site_scripting.pdf) didn't give
> me much on how to fix the vulnerability; only that it existed.
>
> Any comments or ideas?
>
> Jeff
Hi Jeff
Cross site scripting vulnerabilities are specific to a particular cgi
/ script / asp file. The only way to protect against them, is to
make sure you validate all user input, and remove any <script>
</script> tags before displaying this input back to the user.
An example would be:
You enter your name in a form field (Jeff), press submit, the script
set to handle the form prints back 'Hello Jeff'.
If you enter some javascript code instead of your name, this will be
printed back, and treated like any other code in a html file, ie
executed.
These types of attack are mainly used to steal cookies from a user
and then log in to a website as them ( known as session hijacking ).
But they can be more severe.
Do a google search for SQL Injection techniques.
These can be used to steal the contents of databases.
--
Ian