Hosting Provided By

forbidden functions on client-side scripts

From: Shimon Silberschlag <shimons(at)bll.co.il>
Date: Wed Dec 11 2002 - 12:06:18 EST

Some products that are used as content filters for the HTTP traffic used by internal users, have the ability to block certain "dangerous" functions used on client side scripts from getting to the internal client. Attached is the default function list used by such a product. Since I'm not a programmer, can someone tell me if this list is complete/overkill/lacking and what other functions that are dangerous/benign should I consider adding/dropping from the list. The list is given for VBscript and Javascript separately.

[VB SCRIPT]

Forbidden
words=CreateObject,GetParentFolderName,GetFolder,GetExtensionName,File Exist,
GetSpecialFolder,GetFile,Replace,DriveType,ExpandEnviromentString,Open textfile,CreateTextRange,
OpenAsTextStream,DeleteFile,CopyFile,RegWrite

[JAVA SCRIPT]

Forbidden
words=CreateObject,ActiveXobject,GetParentFolderName,GetFolder,GetExte nsionName,Replace,Opentextfile,DeleteFile,CopyFile,RegWrite

TIA, Shimon Silberschlag

+972-3-9352785
+972-51-207130 Received on Wed Dec 11 12:16:49 2002

This message: [ Message body ]
Next message: Ed Tracy (at) Aspect Security: "Re: XSS"
Previous message: Jeff Williams (at) Aspect: "Re: XSS"
Next in thread: Alonso Robles: "Re: forbidden functions on client-side scripts"
Reply: Alonso Robles: "Re: forbidden functions on client-side scripts"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT