Vulnerability Development mailing list archives

RE: CROSS SITE-SCRIPTING Protection with PHP


From: "Rob Shein" <shoten () starpower net>
Date: Mon, 14 Oct 2002 11:24:14 -0400


Sverre wrote:

We need a totally new development platform that makes it 
impossible to do the typical webappsec mistakes.  I'm not 
sure if it's doable, but I guess it would be possible to 
avoid all meta-character based exploits, such as Cross-site 
Scripting, SQL Injection, Shell Command Injection and so on.  
It's just a matter of encasulating all communication with 
sub-systems (including the browser) in some reasonable and 
limited API.


The problem with this scheme is that it requires that the browser be
party to the security.  What about a blackhat using netcat?  Bye-bye to
whatever security functionality was built into the browser, and all
protection contained therein.


Current thread: