I am looking for a tool that can detect malicious requests (such as obvious SQL injection gets or posts) and will immediately ban the IP address of the requester/add to a blacklist. I know, I know, the code should be able to handle such requests accordingly but there is still value in such a tool even when the site is safe from such at...
What's the best way to sanitise user input for a Python-based web application? Is there a single function to remove HTML characters and any other necessary characters combinations to ensure that an XSS or SQL injection attack isn't possible? ...
Jeff actually posted about this in Sanitize HTML. But his example is in C# and I'm actually more interested in a Java version. Does anyone has a better version for Java? Does his example is good enough that I could just convert it directly from C# to Java? [Update] I have put a bounty on this question because SO wasn't as popular as to...
Here's my problem - I'd like to communicate between two websites and I'm looking for a clean solution. The current solution uses Javascript but there are nasty workarounds because of (understandable) cross-site scripting restrictions. At the moment, website A opens a modal window containing website B using a jQuery plug-in called jqModa...
After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions? ...
Inspired by this CodingHorror article, "Protecting Your Cookies: HttpOnly" How do you set this property? Somewhere in the web config? ...
User equals untrustworthy. Never trust untrustworthy user's input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this "cleaned" version? Maybe there are als...
How can I set the cookies in my PHP apps as HttpOnly cookies? ...
How do you get around this Ajax cross site scripting problem on FireFox 3? ...
While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary. I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple...
We have a lot of open discussions with potential clients, and they ask frequently about our level of technical expertise, including the scope of work for our current projects. The first thing I do in order to gauge the level of expertise on staff they have now or have previously used is to check for security vulnerabilities like XSS and ...
I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks. Is there some way to do an XSS attack even if HTML Encode is used? ...
This link describes an exploit into my app using fckEditor: http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor? It's a puzzle because...
I have PHP configured so that magic quotes are on and register globals are off. I do my best to always call htmlentities() for anything I am outputing that is derived from user input. I also occasionally seach my database for common things used in xss attached such as... <script What else should I be doing and how can I make sure th...
I'm using ASP.NET Web Forms for blog style comments. Edit 1: This looks way more complicated then I first thought. How do you filter the src? I would prefer to still use real html tags but if things get too complicated that way, I might go a custom route. I haven't done any XML yet, so do I need to learn more about that? ...
I'm new to developing things on the web. So far, I'm spending a lot of time (50% or so) to try and prevent bad people from putting things like sql injection into my input forms and validating it server side. Is this normal? ...
Earlier today a question was asked regarding input validation strategies in web apps. The top answer, at time of writing, suggests in PHP just using htmlspecialchars and mysql_real_escape_string. My question is: Is this always enough? Is there more we should know? Where do these functions break down? ...
As a temporary quick fix to mitigate the major risk while working on the permanent fix for XSS Vulnerability in a very large code base, I'm looking for a pre-existing XSS prevention blacklist that does a reasonable job of protecting against XSS. Preferably a set of Regular Expressions. I'm aware of plenty of cheat sheets for testing and...
Has anyone done this? Basically, I want to use the html by keeping basic tags such as h1, h2, em, etc; clean all non http addresses in the img and a tags; and HTMLEncode every other tag. I'm stuck at the HTML Encoding part. I know to remove a node you do a "node.ParentNode.RemoveChild(node);" where node is the object of the class Ht...
Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags? ...