Vulnerability Development mailing list archives
RE: CROSS SITE-SCRIPTING Protection with PHP
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 14 Oct 2002 11:24:14 -0400
Sverre wrote:
We need a totally new development platform that makes it impossible to do the typical webappsec mistakes. I'm not sure if it's doable, but I guess it would be possible to avoid all meta-character based exploits, such as Cross-site Scripting, SQL Injection, Shell Command Injection and so on. It's just a matter of encasulating all communication with sub-systems (including the browser) in some reasonable and limited API.
The problem with this scheme is that it requires that the browser be party to the security. What about a blackhat using netcat? Bye-bye to whatever security functionality was built into the browser, and all protection contained therein.
Current thread:
- CROSS SITE-SCRIPTING Protection with PHP Astalavista Baby (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 14)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 14)
- Hashes,File protection,etc Dave Aitel (Oct 14)
- Re: Hashes,File protection,etc Dan Kaminsky (Oct 14)
- Re: Hashes,File protection,etc Dave Aitel (Oct 14)
- /instmsg/alias/annoying_web_logs ;) H D Moore (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) zeno (Oct 15)
- Re: /instmsg/alias/annoying_web_logs ;) Dave Aitel (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Marvin Simkin (Oct 11)
- Re: CROSS SITE-SCRIPTING Protection with PHP Valdis . Kletnieks (Oct 10)
