I'm currently in the process of writing my first Rails app. I'm writing a simple blog app that will allow users to comment on posts. I'm pretty new to Rails, so I'm looking for a bit of guidance on how to address security concerns with user input. On the front end, I am using TinyMCE to accept user input. It is my understanding that ...
I need to know if there is any way of writing additional code to JavaScript files already deployed on the server. I am facing a problem with an ASP.NET 2.0 website and it is related to the JavaScript files which I have on some of the pages. The problem is that when I upload the JavaScript files along with other files it works fine, but...
After reading http://stackoverflow.com/questions/1217926/jsonp-callback-doesnt-execute-when-running-at-localhost and googling a lot, I am still unclear if there is a potential XSS security threat. Is this "hole" covered in popular browsers nowadays? (notice the dot in the URI) ...
We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this: Network service: 80/443 Application URL: http://www.oursite.com/signup.php The response contains SQL Server errors. This suggests that the hazardous characters i...
Hello Guys, I am looking for damn good open source XSS prevention script to implement in my php mvc framework. Any ideas? ...
Hello All, Yesterday i received an email from a guy that our site is vulnerable to SQL injection. The email said: I tried some classic SQL injection on your server. This URL contains the result: http://www.mysite.com/ppreview.php?id=611111161%20and%201=0%20UNION%20all%20SELECT%201,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16...
Hello, Can i use codeigniter's input class to xss clean GET data like this: $somevar = $this->input->xss_clean($_GET['somevar']); CodeIgniter's suggest that xss_clean method should be used for the submitted data. I wonder whether $_GET vars are submitted or just visiting a URL. So can i use it in that fashion? ...
Some older browsers are vulnerable to XSS attacks as such <img src="javascript:alert('yo')" /> Current versions of IE, FF, Chrome are not. I am curious if any browsers are vulnerable to a similar attack: <img src="somefile.js" /> or <iframe src="somefile.js" /> or other similar where somefile.js contains some malicious script. ...
I'm getting a vulnerability alert from Mcafee Secure saying that there is an XSS vulnerability on my site. The string they use to produce it is: https://www.mywebsite.com/%3E%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E%3C%22/www.mywebsite.com/my-product.html?ref=443%2Fanother%5Fpage%5Fon%5Fmy%5Fsite.php I can't get the alert to disp...
I'm trying to write some web-based automation. The sites I'm hitting aren't on the same domain as my automation, so cross-site scripting issues make it impossible to access the DOM on the target website. I don't want to use a proxy or deal with proxifying the target websites (like Selenium does, for example). Cross-platform is a nice ...
I'm working on a Google Web Toolkit driven site that communicates via AJAX to a WCF server. Once deployed the GWT code will run in the same domain as the WCF service but when developing/debugging locally they both run as separate processes and therefore on separate ports. This causes my browser to assume that I'm making a cross site call...
Hello, We are looking at using a library to help us detect SQL injections. We are using sprocs and parametrized statements, but for the sake of this post that we are only using some sore of library that detects/ verifies user input. Whats the best one? Easiest to implement? Easiest to update/manage? Why prefer one over the othe...
When using Cross Site Scripting - XSS in a J2EE struts 2.0.9 application . When I put <Script> tag in the URL it is executing the JavaScript which is a security threat. Is there any solution to overcome this problem apart from moviing to higher version of Struts. ...
Just upgraded Rails to 2.3.5 to get the lovely looking rails_xss plugin but I've noticed one big issue with it. Any content_for blocks are escaped when yielded. I've tried hacking it around by doing the either of following but they do not work: <% @content_for_foo.html_safe! -%> <%= yield raw :foo %> ...
I want to write a web application that allows users to enter any HTML that can occur inside a <div> element. This HTML will then end up being displayed to other users, so I want to make sure that the site doesn't open people up to XSS attacks. Is there a nice library in Python that will clean out all the event handler attributes, <scri...
Debugging assistance requested. The page http://www.freshfaves.com/newfave.html contains this code: <script> document.domain = 'freshfaves.com'; $(document).ready(function() { var dbUrl = 'http://freshfaves.com/'; var result = ''; $.ajax({ type: "POST", url: dbUrl, data: [], //params, ...
How to use Socket in AC3 or other solution for using embedded flash without cross domain policy? I would like to create a project that uses HTTP to post to some website's form by using embedded flash in a webpage. When I finished the project, I tried to embed on the local computer and that work fine but when I uploaded to a web serv...
I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars. thanks a lot :) ...
My current solution: function isAccessToWindowRestricted(w) { try { return !w.location.href; } catch (e) { return true; } } Any better ideas? Is there a 'legal' way without try-catch? ...
What policy would be enforced by the following crossdomain.xml that contains no allow statements. <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy> Does this implicitly deny or accept everything? ...