Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: #include file tag in HTML: possible issues?

from [Giuseppe DELL'ERBA] Network Security [Permanent Link]
Subject: RE: #include file tag in HTML: possible issues?
Date: Mon, 16 Jan 2006 11:43:08 +0100 
More details for your feedbacks: the application creates HTML pages, on URL 
basis, using templates.
The content aggregation logic is based on JSP. The application will retrieve 
these templates and, using TAGLIB technology, will substitute the TAGLIB with 
the dynamic content and metadata. The idea is to add the #include file tag in 
the new templates.
The contents and the templates come from company internal resources.

Thanks
Peppe


-----Original Message-----
From: Aman Raheja [mailto:araheja@techquotes.com] 
Sent: Sunday, January 15, 2006 5:12 PM
To: Giuseppe DELL'ERBA
Cc: webappsec@securityfocus.com
Subject: Re: #include file tag in HTML: possible issues?


What type of code are we talking about ?
Not knowing what type of code is the application or stored in the 
external file that gets inserted, it would be hard for anyone to think 
of the threat scenarios, let alone the suggestions for remediation. If the 
external file's contents are checked against different types of 
attacks that the particular code could possibly be vulnerable to, it 
should be fine.
Moreover, who created these external files is a valid concern, since you 
have not mentioned. If the external file's content is controlled that 
could be another layer of security towards the final application. Regards Aman 
Raheja

Giuseppe DELL'ERBA wrote:


Hi all,

I have to evaluate from security point of view an application that is 
going to add in its template pages the #include file tag.
This will allow a section of code to be inserted in the page, and the code 
that is inserted may be stored in an external file.  

Do you think this feature can introduce possible security threats? And, 
eventually, the remediation needed?

Thanks
Peppe



-----------------------------------------------------------------------
--
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-----------------------------------------------------------------------
---



 





-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Announcement: The Web Application Firewall Evaluation Criteria v1 Released, contact
Next by Date:  Re: Mambo File Inclusion Attacks, Mark Ryan del Moral Talabis
Previous by Thread:  Re: #include file tag in HTML: possible issues?, Aman Raheja
Next by Thread:  Re: #include file tag in HTML: possible issues?, Jon Hart
Indexes:  [Date] [Thread] [Top] [All Lists]