CSS, CSS & let me give you some more CSS

From: - phinegeek - (phine@anonymous.to)
Date: 01/29/02 

Date: Tue, 29 Jan 2002 00:31:21 -0800
From: "- phinegeek -" <phine@anonymous.to>
To: vuln-dev@securityfocus.com
('binary' encoding is not supported, stored as-is) A little while back I posted some info on a CSS bug I found on ebay,
http://securityfocus.com/archive/82/246275.
Just about every site(not joking) you go to has this type of vulnerability, its nothing new. Luckily, CSS vulns are very easy to fix, after they are discovered.
However, you shouldn't have to wait until your site is prefixed with "Cross Site Scripting" on a Bugtraq posting. These types of errors, as well as many other similar(but less threatening) types are the product of careless programming practices.
All you need is a method(call it SecureHTML()) that you run all your input through, before it gets displayed back to the user. This method would be used throughout your site in a modularized fashion.
Isn't this how we should be doing it anyway???
This simple principle can also be used for input that becomes part of an SQL statement(call it SecureSQL()) to guard against sql injection.
Just modularize your code folks and make sure all your developers use the methods when dealing with input.
Its really that simple.
This is also not new, I guess you could call it prevention?

and heres some fun.. alot of Security issues =]

Security Focus:
http://securityfocus.com/
(copy and paste the text below in the search box just like it is)
CSS OR "><SCRIPT><!-- ..tsk tsk tsk.. --></SCRIPT>"

Digital Security:
http://www.eeye.com/html/forms/recommend.html?u=eeye.com/>alert('Digital+Security?');</SCRIPT>

Internet Security:
http://www.iss.net/search.php?pattern=>alert('Internet+Security?');</script>

Linux Security:
http://search.linuxsecurity.com/cgi-bin/htsearch?words="><script>alert('Linux+Security?')</script>

Macintosh Security:
http://www.macintoshsecurity.com/search.php?query="><SCRIPT>alert('Macintosh+Security?')</SCRIPT>

Social Security??:
http://www.ssa.gov/online/forms.html
(copy and paste the text below in the search box just like it is)
Social Security <SCRIPT>alert('Social Security?');</SCRIPT>

'phine

p.s. none of the sites above have been notified.
If I were to tell them, I would feel guilty and have to tell the others I know about(too many), then I would have to quit my night job.

------------------------------------------------------------
This email was sent through the free email service at http://www.anonymous.to/
To report abuse, please visit our website and click 'Contact Us.'

Relevant Pages

  • [Full-Disclosure] Serious Possible SQL Injection in munchahouse.com Ecommerce site
    ... Possible SQL Injection in munchahouse.com ... 2003-2004 by YSGNet* 01 Security ... Some vulnerabilities have been discovered in munchahouse ... Successful exploitation may disclose sensitive information, ...
    (Full-Disclosure)
  • [Full-Disclosure] Serious SQL Injection in munchahouse.com : a shopping site.,
    ... Serious SQL Injection in munchahouse.com ... 2003-2004 by YSGNet* 01 Security ... Some vulnerabilities have been discovered in munchahouse ... Successful exploitation may disclose sensitive information, ...
    (Full-Disclosure)
  • [Full-disclosure] [PT-2009-13] TinX CMS SQL Injection Vulnerability
    ... TinX CMS SQL Injection vulnerability ... Positive Technologies Research Team has discovered a SQL Injection ... Research Team) using professional network security scanner MaxPatrol. ...
    (Full-Disclosure)
  • RE: Checkpoint SmartDefense
    ... Another option that can be used instead of the default SQL injection ... protection is the "worm catcher" - you can write pretty good regular ... As my expertise is web applications security, I can comment only on the ... attacks such as SQL injection or XSS, ...
    (Focus-IDS)
  • RE: SQL Injection Legalities
    ... but my interpretation of this law is that the "crime" ... > enter search terms at your discretion. ... > a security mechanism in this case. ... > system as a result of the SQL injection. ...
    (Pen-Test)