[thelist] [tip] Macromedia even forgets (encoding user input)

Ken Schaefer ken at adOpenStatic.com
Wed Jun 25 21:45:50 CDT 2003


The two major problems are:

a) SQL Injection attacks, where carefully crafted input allows the malicious
attacker to alter (or append) to your SQL statements

    -and-

b) Cross-Site Scripting attacks, where Javascript/VBScript can be embedded
into the HTML source of webpages (eg when data is extracted), or in email
messages, which can then do malicious things (eg send the cookies for the
current site to a remote site as part of a HTTP request).

There are a number of good resources on the net about this. The OWASP
project has a great guide on securing web applications (a bit daunting at
first): http://www.owasp.org/guide/

Here's two good papers on SQL Injection (I've used techniques described
therein to break into sites, with permission!, to demonstrate to people the
need to secure applications):
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

Cheers
Ken

----- Original Message ----- 
From: "Sarah" <poohbear at designshift.com>
To: <thelist at lists.evolt.org>
Sent: Thursday, June 26, 2003 5:36 AM
Subject: Re: [thelist] [tip] Macromedia even forgets (encoding user input)


:
: >Don't feel so bad... even the big boys forget.
: >
: >Open up macromedia.com and search on the following using the box in the
: >top-right corner:
: ><meta http-equiv="Refresh" content="0;url=http://www.intel.com">
: >
: >Ooops.
:
: I've had this message sitting in my inbox for a while, and every once in a
: while I think about it. But I am having a hard time figuring out a really
: bad thing that could happen as a result of not encoding user input. I know
: I used to do a lot of error checking on variables coming from the
: querystring until I decided that, if someone really wants to be a jerk and
: break my site by putting some garbage in the url, I just don't care what
: happens. But if something bad really could happen as a result, I'd like to
: know and prepare. All feedback on this is appreciated!
:
: Sarah



More information about the thelist mailing list