Network Security: Detailed info on RE: XSS, SQL injection etc

Subject:	RE: XSS, SQL injection etc - permutations of input strings
Date:	Wed, 29 Sep 2004 14:33:43 -0400

Subject:

RE: XSS, SQL injection etc - permutations of input strings

Date:

Wed, 29 Sep 2004 14:33:43 -0400

 Yet, if you don't require it, it doesn't hurt.  Keep the name/value
pairs out of the browser history & web logs, if there's no real need to
have them there (and if it's not https, out of the proxy logs & referer
headers). Get rid of yet more possible sources of information
disclosure.

-Larry

-----Original Message-----
From: James Barkley [mailto:James.Barkley@noaa.gov] 
Sent: Tuesday, September 28, 2004 1:06 AM
To: focus@karsites.net; webappsec@securityfocus.com
Subject: Re: XSS, SQL injection etc - permutations of input strings

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0x6725FF31)
*** Signed:   9/28/2004 1:05:42 AM
*** Verified: 9/29/2004 2:30:41 PM
*** BEGIN PGP VERIFIED MESSAGE ***


Turning off GET requests may not buy you as much as you think.  Any
dedicated hacker who is going to be attempting xss or sql injection,
etc. probably knows how to save a page and tamper the post form vars.
Also, if you do regular log checks variable tampering through GET
requests is typically much easier to spot as the entire URL is logged
and you can see hacking attempts as part of the URL request.

*snip*

<Prev in Thread]	Current Thread	[Next in Thread>
List of Movies with security emphasis (in reply to: Hacking/security in main-stream media), (continued) List of Movies with security emphasis (in reply to: Hacking/security in main-stream media), saphyr Re: Hacking/security in main-stream media, Andrew Sledge Re: Hacking/security in main-stream media, Jason Merriman Re: Hacking/security in main-stream media, Damon Leung Re: Hacking/security in main-stream media, Vlado Blaskov RE: XSS, SQL injection etc - permutations of input strings, RSnake RE: XSS, SQL injection etc - permutations of input strings, Conacher, Chris RE: XSS, SQL injection etc - permutations of input strings, Keith Roberts RE: XSS, SQL injection etc - permutations of input strings, focus RE: XSS, SQL injection etc - permutations of input strings, Michael Silk RE: XSS, SQL injection etc - permutations of input strings, Shields, Larry <= Re: XSS, SQL injection etc - permutations of input strings, James Barkley

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Securing file access, robbin
Next by Date:	Re: Securing file access, Subs
Previous by Thread:	RE: XSS, SQL injection etc - permutations of input strings, Michael Silk
Next by Thread:	Re: XSS, SQL injection etc - permutations of input strings, James Barkley
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Securing file access, robbin

Next by Date:

Re: Securing file access, Subs

Previous by Thread:

RE: XSS, SQL injection etc - permutations of input strings, Michael Silk

Next by Thread:

Re: XSS, SQL injection etc - permutations of input strings, James Barkley

Indexes:

[Date] [Thread] [Top] [All Lists]