Hosting Provided By

Re: Preventing cross site scripting

From: Tim Greer <chatmaster(at)charter.net>
Date: Thu Jun 19 2003 - 22:47:25 EDT

Original Message ----- From: "Alex Lambert" <alambert@quickfire.org> To: "David Cameron" <dcameron@itis-now.com>; "Andrew Beverley" <mail@andybev.com>; <webappsec@securityfocus.com> Sent: Thursday, June 19, 2003 7:13 PM Subject: Re: Preventing cross site scripting

> What about onClick (etc) attributes? i.e. <img src="good.gif*"

Onclick, onmouse, etc. don't do any good to the person trying them, if you don't allow double quotes and single quotes, etc. within an anchor, image/sr. type tag.

Such as (as again, converting all tags first and then putting them back together):

s/<\s*img\s+sr.\s*=\s*['"](https?:\/\/)?(\w@:\w+.){1,}\.\w{2,4}(/\w.\/\?\ $)*\s*?$gt;/... and so on... It will not allow anything to work that you don't allow in the sr. tag. Again, just an example, not a working regez or complete. This is the entire point--not to guess about "well, what if someone...", because you know 'exactly' what they are able to do...

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.

Received on Thu Jun 19 23:20:08 2003

This message: [ Message body ]
Next message: Tim Greer: "Re: Preventing cross site scripting"
Previous message: Tim Greer: "Re: Preventing cross site scripting"
In reply to Alex Lambert: "Re: Preventing cross site scripting"
Next in thread: Mutallip Ablimit: "RE: Preventing cross site scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:52 EDT