12:19 Crosssite scripting | |
| Category: design Introduction of malicious html or javascript code on the site due to insufficient validation and convert the data. Allows you to change the look of the site and in some cases to "steal authorization" (get into the administrative or user interface without password). Solve the screening data in the derivation, the optimal solution is the automatic screening of the entire output to the information page, unless otherwise specified. XSS is the second "our all", then it may be advisable to follow the principle: "forbid everything that is not allowed", which works much better than the principle of "allowed everything that is not forbidden," methods of introducing XSS invented a hundred thousand million, and who knows how many of them not yet invented. Most people over-confidence leads to the input data, especially it looks cute when, after checking references (such as pagination) are going to blunt the query. Forgotten, for example, important fact that the line "1aaaa" in many languages ??easily cast to Tsiferki "1", and instead of "aaa" can put something even worse A separate line would like to mention adjusting color sites, I somehow collided with a system for creating skins, which the author was completely unaware of the ability of IE to perform a nice javascript code registered in exspression. We should not forget that the code injection can be done in javascript, so one photosite which made it possible to insert comments to the site photos, it is not bothered by the fact that the comment screen, resulting in a comfortable page fotochki could do a lot of interesting things. There are many more interesting incidents connected with the webmasters are attracted to different portals, and allows you to link to your profile, and the LJ nick, they often do not check carefully enough, so if you want you can go to write something like http:// myseosite.com /? and thus little to correct itself TIC and PR. | |
|
| |
| Total comments: 0 | |