[WEB SECURITY] First informational blopost on the coming PHP IDS
christ1an
ch0012 at googlemail.com
Wed May 2 12:47:32 EDT 2007
Hi Dain P,
> Because the sites I build are managed via WYSIWYG editors, and the
> content managers can drag and drop anything into the editor, I need
> something that allows HTML, but doesn't allow Bad Things to sneak in.
In this case you'll need tools like HTML Purifier.
> Your encoding (server.HTMLEncode) solution works great for
> filtering of most form /url input, but wouldn't allow people to
> input HTML via content management editors.
Thats actually not correct ;) We implemented tags so that you can
directly define which vectors you want to use against incoming data.
I forgot to mention that in my blog posting, however you'll find a
description in the manual later on.
You can tell the IDS that it only needs to look for lets say sql
injection or only xss and so forth.
Regards, christ1an
am Mittwoch, 2. Mai 2007 um 17:46 schrieben Sie:
> The best defense I have against SQL injection is to always send
> parameters into stored procedures as an array, as then the strings
> within the array are not executed.
> Because the sites I build are managed via WYSIWYG editors, and the
> content managers can drag and drop anything into the editor, I need
> something that allows HTML, but doesn't allow Bad Things to sneak in.
> Your encoding (server.HTMLEncode) solution works great for
> filtering of most form /url input, but wouldn't allow people to
> input HTML via content management editors. It wouldn't stop the
> really tricksy folks who are using other character encodings for
> their apostrophes and brackets either.
> ~Dain
> Dain White, Web Coordinator
> Office of Student Affairs
> Washington State University
> 1-509-335-6673
> -----Original Message-----
> From: Aiken, Dan [mailto:AikenD at HSS.EDU]
> Sent: Wednesday, May 02, 2007 7:02 AM
> To: Mario Heiderich; websecurity at webappsec.org
> Subject: RE: [WEB SECURITY] First informational blopost on the coming PHP IDS
> I know I must be missing something here, but doesn't changing
> selected characters to their ASCII equivalent, done on the server
> side for both input and output, offer protection against XSS and SQL injection attacks? For example,
> From To
> -----------
> < <
>> >
> ( (
> ) )
> # #
> & &
> etc.
> Dan Aiken, CISSP, GSEC, GSNA
> Corporate Compliance Director
> Information Security Officer and Privacy Officer
> Hospital for Special Surgery
> 535 East 70th Street
> New York, NY 10021
> Ofc: (212) 774-2569
> Fax: (212) 774-2161
> aikend at hss.edu
> "Program testing can be used to show the presence of bugs, but
> never to show their absence!" -- Edsger Dijkstra
> The opinions expressed in this message are the author's own and not
> necessarily those of Hospital for Special Surgery.
>
> -----Original Message-----
> From: Mario Heiderich [mailto:vegeir at gmx.net]
> Sent: Tuesday, May 01, 2007 4:50 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] First informational blopost on the coming PHP IDS
> Hi!
> Here's the first informational blogpost about the coming PHP IDS
> christ1an published today.
> http://christ1an.blogspot.com/2007/05/php-based-intrusion-detection-system.html
> What do you guys think about the project? We are currently working on
> the rules to detect sql injection and trying to enhance the XSS
> detection rules. Any input is welcome at any time!
> Dear Greetings,
> .mario
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list