Next message: Slow2Show: "Re: CSS, CSS & let me give you some more CSS"
Nice... I just want to say that there is a tutoriel in french about cross
site scripting : http://balteam.multimania.com/Tuts/css.txt .
If you have additions or advices, please send them to me... Thx :)
>From: "- phinegeek -" <phineat_private>
>To: vuln-devat_private
>Subject: CSS, CSS & let me give you some more CSS
>Date: Tue, 29 Jan 2002 00:31:21 -0800
>
>A little while back I posted some info on a CSS bug I found on ebay,
>http://securityfocus.com/archive/82/246275.
>Just about every site(not joking) you go to has this type of vulnerability,
>its nothing new. Luckily, CSS vulns are very easy to fix, after they are
>discovered.
>However, you shouldn't have to wait until your site is prefixed with "Cross
>Site Scripting" on a Bugtraq posting. These types of errors, as well as
>many other similar(but less threatening) types are the product of careless
>programming practices.
>All you need is a method(call it SecureHTML()) that you run all your input
>through, before it gets displayed back to the user. This method would be
>used throughout your site in a modularized fashion.
>Isn't this how we should be doing it anyway???
>This simple principle can also be used for input that becomes part of an
>SQL statement(call it SecureSQL()) to guard against sql injection.
>Just modularize your code folks and make sure all your developers use the
>methods when dealing with input.
>Its really that simple.
>This is also not new, I guess you could call it prevention?
>
>and heres some fun.. alot of Security issues =]
>
>Security Focus:
>http://securityfocus.com/
>(copy and paste the text below in the search box just like it is)
>CSS OR "><SCRIPT><!-- ..tsk tsk tsk.. --></SCRIPT>"
>
>Digital Security:
>http://www.eeye.com/html/forms/recommend.html?u=eeye.com/>alert('Digital+Security?');</SCRIPT>
>
>Internet Security:
>http://www.iss.net/search.php?pattern=>alert('Internet+Security?');</script>
>
>Linux Security:
>http://search.linuxsecurity.com/cgi-bin/htsearch?words="><script>alert('Linux+Security?')</script>
>
>Macintosh Security:
>http://www.macintoshsecurity.com/search.php?query="><SCRIPT>alert('Macintosh+Security?')</SCRIPT>
>
>Social Security??:
>http://www.ssa.gov/online/forms.html
>(copy and paste the text below in the search box just like it is)
>Social Security <SCRIPT>alert('Social Security?');</SCRIPT>
>
>
>'phine
>
>p.s. none of the sites above have been notified.
>If I were to tell them, I would feel guilty and have to tell the others I
>know about(too many), then I would have to quit my night job.
>
>------------------------------------------------------------
>This email was sent through the free email service at
>http://www.anonymous.to/
>To report abuse, please visit our website and click 'Contact Us.'
_________________________________________________________________
MSN Photos est le moyen le plus simple de partager et imprimer vos photos :
http://photos.msn.fr/Support/WorldWide.aspx
This archive was generated by hypermail 2b30
: Tue Jan 29 2002 - 15:54:04 PST