RE: CROSS SITE-SCRIPTING Protection with PHP

From: Rob Shein (shotenat_private)
Date: Mon Oct 14 2002 - 08:24:14 PDT

Next message: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"

Previous message: Astalavista.NET Baby!: "Re: CROSS SITE-SCRIPTING Protection with PHP"
In reply to: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Reply: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sverre wrote:

> We need a totally new development platform that makes it 
> impossible to do the typical webappsec mistakes.  I'm not 
> sure if it's doable, but I guess it would be possible to 
> avoid all meta-character based exploits, such as Cross-site 
> Scripting, SQL Injection, Shell Command Injection and so on.  
> It's just a matter of encasulating all communication with 
> sub-systems (including the browser) in some reasonable and 
> limited API.
> 

The problem with this scheme is that it requires that the browser be
party to the security.  What about a blackhat using netcat?  Bye-bye to
whatever security functionality was built into the browser, and all
protection contained therein.

Next message: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Previous message: Astalavista.NET Baby!: "Re: CROSS SITE-SCRIPTING Protection with PHP"
In reply to: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Next in thread: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Reply: Sverre H. Huseby: "Re: CROSS SITE-SCRIPTING Protection with PHP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 10:22:58 PDT