IBM developerWorks have an article up on preventing cross-site scripting attacks. It seems like a good introduction to the topic. I hadn't heard of Apache::TaintRequest looks like one to check out.

--
Do not seek to follow in the footsteps of the wise. Seek what they sought. -Basho

  • Comment on Introdutory article on cross site scripting

Replies are listed 'Best First'.
Re: Introdutory article on cross site scripting
by Anonymous Monk on Feb 16, 2004 at 16:38 UTC

    I'm just going to copy their horribly incorrect Listing 5: 

    #!/usr/bin/perl
        use CGI;

        my $var1 = CGI->new();
        my $parameter = $cgi->param('text');

        print $var1->header();
        print "parameter";

    [download]

    Where is $cgi ever defined? $var1 is the cgi object. How is this script vulnerable to scripting attacks? They print out the text 'parameter', not the variable $parameter. Someone really fudged things up here.

    Their methods for 'filtering' input are just weird. Anyone who just throws s/[^A-Za-z0-9 ]*/ /g; to filter input is just being... stupid? Invalid data should not be filtered out, it should be outright rejected and the user should be reprompted for valid input.

[reply]
[d/l]
[select]
      Where is $cgi ever defined? $var1 is the cgi object. How is this script vulnerable to scripting attacks? They print out the text 'parameter', not the variable $parameter. Someone really fudged things up here.

      Is that the worst the article has to offer? This coulda been a last-minute addition that was published after tech-review. For instance, the tech-reviewer says "Looks great, but add a small example here." Since it is so small, the author doesn't bother to send it back to tech-review. Its a mistake; it happens. Can't you look past that?

[reply]

Back to Perl News