|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Marvin Simkin (Marvin.Simkin_at_asu.edu)
Date: Fri Oct 11 2002 - 16:07:24 CDT
Valdis.Kletnieks
vt.edu wrote:
> Remember - don't filter known bad chars. Filter *everything* *but* known good.
This is a fundamental rule of security... why do thousands of
programmers still not know this... </rant>
Filters can *help*, but there is *no* magic bullet for 100% CSS
protection, because CSS is so generic that it can arise anywhere a web
programmer makes a mistake. Consider this pseudocode:
PasswordSubmitTarget =
"https://www." + Server + ".com/login/checkpw.cgi"
Suppose the variable Server comes from an untrusted source somehow. An
attacker might find some way to manipulate the variable so that
passwords get submitted to the attacker's server. Yet the untrusted
variable could contain nothing but [a-z]!
The smartest programmer in the world cannot outsmart the stupidest
mistakes.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]