Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: #include file tag in HTML: possible issues?

RE: #include file tag in HTML: possible issues?

From: Giuseppe DELL'ERBA <giuseppe.dellerba_at_st.com>
Date: Mon, 16 Jan 2006 11:43:08 +0100

More details for your feedbacks: the application creates HTML pages, on URL basis, using templates.
The content aggregation logic is based on JSP. The application will retrieve these templates and, using TAGLIB technology, will substitute the TAGLIB with the dynamic content and metadata. The idea is to add the #include file tag in the new templates.
The contents and the templates come from company internal resources.

Thanks
Peppe

-----Original Message-----
From: Aman Raheja [mailto:araheja_at_techquotes.com]
Sent: Sunday, January 15, 2006 5:12 PM
To: Giuseppe DELL'ERBA
Cc: webappsec_at_securityfocus.com
Subject: Re: #include file tag in HTML: possible issues?

What type of code are we talking about ?
Not knowing what type of code is the application or stored in the
external file that gets inserted, it would be hard for anyone to think
of the threat scenarios, let alone the suggestions for remediation. If the external file's contents are checked against different types of
attacks that the particular code could possibly be vulnerable to, it
should be fine.
Moreover, who created these external files is a valid concern, since you
have not mentioned. If the external file's content is controlled that
could be another layer of security towards the final application. Regards Aman Raheja

Giuseppe DELL'ERBA wrote:

>Hi all,
>
>I have to evaluate from security point of view an application that is
>going to add in its template pages the #include file tag.
>This will allow a section of code to be inserted in the page, and the code that is inserted may be stored in an external file.
>
>Do you think this feature can introduce possible security threats? And,
>eventually, the remediation needed?
>
>Thanks
>Peppe
>
>
>
>-----------------------------------------------------------------------
>--
>This List Sponsored by: Watchfire
>
>Watchfire's AppScan is the industry's first and leading web application
>security testing suite, and the only solution to provide comprehensive
>remediation tasks at every level of the application. See for yourself.
>Download AppScan 6.0 today.
>
>https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
>-----------------------------------------------------------------------
>---
>
>
>
>
>

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Received on Jan 17 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]