I've come across a couple of popular PHP-related answers recently that suggested using the superglobal $_REQUEST, which I think of as code smell, because it reminds me of register_globals. Can you provide a good explanation/evidence of why $_REQUEST is bad practice? I'll throw out a couple of examples I've dug up, and would love more in...
When reading about SQL Injection and XSS i was wondering if you guys have a single string that could be used to identify those vulnerabilities and others. A string that could be thrown into a website database to black box check if that field is safe or not. (going to do a large test on a few inhouse tools) Rough example, wondering if y...
In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why? Thanks, Alex ...
We want to allow "normal" href links to other webpages, but we don't want to allow anyone to sneak in client-side scripting. Is searching for "javascript:" within the HREF and onclick/onmouseover/etc. events good enough? Or are there other things to check? ...
I need to make an AJAX request from a website to a REST web service hosted in another domain. Althouht this is works just fine in Internet Explorer, other browsers such as Mozilla and Google Chrome impose far stricter security restrictions, which prohibit cross-site AJAX requests. My problem is that I have no control over the domain nor...
How is it that tools like this one can make an ajax style call back to a central site? basically they give you a " tag to put on your site where ever it is. So in this widget you have the ability to ask for an email to be sent to you for the page you're currently on. I assume this makes an ajax style call back to share this who sends out...
I want to provide a piece of Javascript code that will work on any website where it is included, but it always needs to get more data (or even modify data) on the server where the Javascript is hosted. I know that there are security restrictions in place for obvious reasons. Consider index.html hosted on xyz.com containing the following...
I am tying to make comments in a blog engine XSS-safe. Tried a lot of different approaches but find it very difficult. When I am displaying the comments I am first using Microsoft AntiXss 3.0 to html encode the whole thing. Then I am trying to html decode the safe tags using a whitelist approach. Been looking at Steve Downing's example...
How can one allow code snippets to be entered into an editor (as stackoverflow does) like FCKeditor or any other editor while preventing XSS, SQL injection, and related attacks. ...
The basics: I have a contact form that uses php to validate the forms. (in addition to client side) This could be done in any server side language though. The server side only allows A-z 0-9 for certain fields (it is acceptable to validate this field to English only with that extremely limited range) If the form contains e...
Which should I use? <input type="hidden" name="first_name" value="<%= person.first_name %>" /> or <input type="hidden" name="first_name" value="<%= Html.Encode( person.first_name ) %>" /> ...
We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another P...
Let's say I have a simple ASP.NET MVC blog application and I want to allow readers to add comments to a blog post. If I want to prevent any type of XSS shenanigans, I could HTML encode all comments so that they become harmless when rendered. However, what if I wanted to some basic functionality like hyperlinks, bolding, italics, etc? ...
Does anyone have an idea how can I fix this vulnerability in Apache 2.2.4, without upgrading the Web Server? This is what I found about it on the net at SecurityReason. The fix suggested by them is to upgrade it to version 2.2.6. But the server is live and upgrading t is the last resort. Apache2 XSS Undefined Charset UTF-7 XSS Vulne...
I ran a pen-testing app and it found a ton of XSS errors, specfically, I'm guilty of echo'ing unverified data back to the browser through the querystring. Specifically, running this puts javascript into my page. http://www.mywebsite.com/search.php?q=%00'" [ScRiPt]%20%0a%0d>alert(426177032569)%3B[/ScRiPt]. Thankfully, no where do I let ...
The question of how to make your iframe fit 100% of your content (using JavaScript) has been answered on the forum already... for iframes displaying content from the same domain only. My questions: Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containi...
Why was it decided that using XMLHTTPRequest to do XML calls cannot do a call across the domain boundary? You can pull down Javascript, images, CSS, iframes, and just about any other content I can think of from other domains. Why are Ajax HTTP Requests not allowed to cross domain boundaries. It seems like an odd limitation to put, cons...
I'm working on an internal tool, and I recall there being some way to make your script prompt for elevated permissions, and if accepted, allowing cross site requests etc...As this is an internal tool, this may accomplish something I need. Does anyone know how to do this? To elaborate, I'm actually trying to read (in javascript) the con...
I'm writing a little bit of a wiki and going through all of my options for syntax highlighting. Debating between wiki syntax (mediawiki) and markdown + whitelisted tags. I think I would prefer the latter but I think my users will need tables. Why are tables disallowed here on Stackoverflow? <table> <tr> <td> </td> </tr> </table> ...
When typing in html forms, browsers like firefox or ie store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox. In a e-commerce website, the customer type the credit card number, and another sen...