xss

How evil is $_REQUEST and what are some acceptable Band-Aid countermeasures?

I've come across a couple of popular PHP-related answers recently that suggested using the superglobal $_REQUEST, which I think of as code smell, because it reminds me of register_globals. Can you provide a good explanation/evidence of why $_REQUEST is bad practice? I'll throw out a couple of examples I've dug up, and would love more in...

Do you have any SQL Injection Testing "Ammo" ?

When reading about SQL Injection and XSS i was wondering if you guys have a single string that could be used to identify those vulnerabilities and others. A string that could be thrown into a website database to black box check if that field is safe or not. (going to do a large test on a few inhouse tools) Rough example, wondering if y...

Why was validate request taken out of ASP.net MVC?

In standard ASP.net applications ASP.net offered some protection from XSS attacks with validateRequest throwing detect dangerous input errors if some one tried to. This functionality seems to have been taken out of MVC any idea why? Thanks, Alex ...

Removing Javascript from HREFs

We want to allow "normal" href links to other webpages, but we don't want to allow anyone to sneak in client-side scripting. Is searching for "javascript:" within the HREF and onclick/onmouseover/etc. events good enough? Or are there other things to check? ...

Cross-site AJAX requests

I need to make an AJAX request from a website to a REST web service hosted in another domain. Althouht this is works just fine in Internet Explorer, other browsers such as Mozilla and Google Chrome impose far stricter security restrictions, which prohibit cross-site AJAX requests. My problem is that I have no control over the domain nor...

how do widgets like "http://sharethis.com/" make what seem to be XSS calls

How is it that tools like this one can make an ajax style call back to a central site? basically they give you a " tag to put on your site where ever it is. So in this widget you have the ability to ask for an email to be sent to you for the page you're currently on. I assume this makes an ajax style call back to share this who sends out...

Cross-site XMLHttpRequest

I want to provide a piece of Javascript code that will work on any website where it is included, but it always needs to get more data (or even modify data) on the server where the Javascript is hosted. I know that there are security restrictions in place for obvious reasons. Consider index.html hosted on xyz.com containing the following...

Sanitize html encoded text (#decimal notation) from AntiXSS v3 output

I am tying to make comments in a blog engine XSS-safe. Tried a lot of different approaches but find it very difficult. When I am displaying the comments I am first using Microsoft AntiXss 3.0 to html encode the whole thing. Then I am trying to html decode the safe tags using a whitelist approach. Been looking at Steve Downing's example...

Allowing code snippets in form input while preventing XSS and SQL injection attacks

How can one allow code snippets to be entered into an editor (as stackoverflow does) like FCKeditor or any other editor while preventing XSS, SQL injection, and related attacks. ...

Prevent XSS in HTML forms from third party site

The basics: I have a contact form that uses php to validate the forms. (in addition to client side) This could be done in any server side language though. The server side only allows A-z 0-9 for certain fields (it is acceptable to validate this field to English only with that extremely limited range) If the form contains e...

Should I html encode values in an input field?

Which should I use? <input type="hidden" name="first_name" value="<%= person.first_name %>" /> or <input type="hidden" name="first_name" value="<%= Html.Encode( person.first_name ) %>" /> ...

Can cookies be copied between machines to impersonate a user?

We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another P...

Preventing XSS (Cross-site Scripting)

Let's say I have a simple ASP.NET MVC blog application and I want to allow readers to add comments to a blog post. If I want to prevent any type of XSS shenanigans, I could HTML encode all comments so that they become harmless when rendered. However, what if I wanted to some basic functionality like hyperlinks, bolding, italics, etc? ...

Apache2 Undefined Charset UTF-7 XSS Vulnerability

Does anyone have an idea how can I fix this vulnerability in Apache 2.2.4, without upgrading the Web Server? This is what I found about it on the net at SecurityReason. The fix suggested by them is to upgrade it to version 2.2.6. But the server is live and upgrading t is the last resort. Apache2 XSS Undefined Charset UTF-7 XSS Vulne...

taking care of XSS

I ran a pen-testing app and it found a ton of XSS errors, specfically, I'm guilty of echo'ing unverified data back to the browser through the querystring. Specifically, running this puts javascript into my page. http://www.mywebsite.com/search.php?q=%00'" [ScRiPt]%20%0a%0d>alert(426177032569)%3B[/ScRiPt]. Thankfully, no where do I let ...

Set iframe to height of content for remote content

The question of how to make your iframe fit 100% of your content (using JavaScript) has been answered on the forum already... for iframes displaying content from the same domain only. My questions: Is it possible to resize an iframe to fit the content when the iframe src attribute is for a page outside of the domain of the page containi...

Why is cross-domain Ajax a security concern?

Why was it decided that using XMLHTTPRequest to do XML calls cannot do a call across the domain boundary? You can pull down Javascript, images, CSS, iframes, and just about any other content I can think of from other domains. Why are Ajax HTTP Requests not allowed to cross domain boundaries. It seems like an odd limitation to put, cons...

Elevating a browsers javascript permission?

I'm working on an internal tool, and I recall there being some way to make your script prompt for elevated permissions, and if accepted, allowing cross site requests etc...As this is an internal tool, this may accomplish something I need. Does anyone know how to do this? To elaborate, I'm actually trying to read (in javascript) the con...

What are the reasons not to allow HTML tables when validating user input fields?

I'm writing a little bit of a wiki and going through all of my options for syntax highlighting. Debating between wiki syntax (mediawiki) and markdown + whitelisted tags. I think I would prefer the latter but I think my users will need tables. Why are tables disallowed here on Stackoverflow? <table> <tr> <td> </td> </tr> </table> ...

How I do to force the browser to not store the html form field data?

When typing in html forms, browsers like firefox or ie store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox. In a e-commerce website, the customer type the credit card number, and another sen...