Vulnerability Development: Re: Preventing XSS in PHP...

["William N. Zanatta" <william () veritel com br>]

What about the combination of POST method driven forms and REFERER 
filtering? It seems to be trustable at least against external attacks 
(we couldn't stop a CSS attack comming from inside this way and), right?!
William


Slow2Show wrote:
> In-Reply-To: <OF6FCFDC2A.59A56994-ON03256BAD.006A1C06 () carol com br>
>
> > Much if has said in holes of Cross Site Scripting.
>
>
>
> Yep...some even say "too much" and argue that it isn't 
>
> a "real security hole", but if you've had your admin cookie 
>
> stolen on a forum then you would say otherwise.
>
>
>
>
> > Happily, language PHP supplies to the programmer a great 
>
> function to
>
>
> > prevent that this happens
>
>
>
> yep PHP can handle input sanitizing very well...hopefully 
>
> all new webApp langs will have sanitizing functionality 
>
> built into their frameworks...(MS actually does in asp.net)
>
>
>
> I suggest you check out the webAppSec list, the OWASP 
>
> project, and cgisecurity.com for more info.
>
> http://online.securityfocus.com/archive/107
>
> http://www.owasp.org
>
> http://www.cgisecurity.com
>
>
>
> Take care,
>
>
>
> -Slow2Show-