Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: #include file tag in HTML: possible issues?

Re: #include file tag in HTML: possible issues?

From: Aman Raheja <araheja_at_techquotes.com>
Date: Sun, 15 Jan 2006 10:12:17 -0600

What type of code are we talking about ?
Not knowing what type of code is the application or stored in the
external file that gets inserted, it would be hard for anyone to think
of the threat scenarios, let alone the suggestions for remediation.
If the external file's contents are checked against different types of
attacks that the particular code could possibly be vulnerable to, it
should be fine.
Moreover, who created these external files is a valid concern, since you
have not mentioned. If the external file's content is controlled that
could be another layer of security towards the final application.
Regards
Aman Raheja

Giuseppe DELL'ERBA wrote:

>Hi all,
>
>I have to evaluate from security point of view an application that is going to add in its template pages the #include file tag.
>This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file.
>
>Do you think this feature can introduce possible security threats? And, eventually, the remediation needed?
>
>Thanks
>Peppe
>
>
>
>-------------------------------------------------------------------------
>This List Sponsored by: Watchfire
>
>Watchfire's AppScan is the industry's first and leading web application
>security testing suite, and the only solution to provide comprehensive
>remediation tasks at every level of the application. See for yourself.
>Download AppScan 6.0 today.
>
>https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
>--------------------------------------------------------------------------
>
>
>
>
>

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Received on Jan 15 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]