Again - nope. If you believe that applying the "protection" only at the server side is enough, then you need to step out of your happy place a bit more often. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: David Farinic [mailto:davidf@xxxxxxx] Sent: Wednesday, February 23, 2005 09:30 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org >[Jim] absolutely, unequivocally, irrefutably FUD. Script injection >requires a client-server relationship or it can't be used. >If the client never sends the request to the server, the server can't fall >victim to it. Thus, be a good net-neighbor and block it at your outbound >proxy. Client can have several legitimate (RFC valid) encapsulations methods to send script injection within HTTP request or with HTTP payload. Blocking "<" ">"is just not enough as there are other methods """to inject script""". Only receiving web application can determine what data types are good/valid as malicious input for 1 web application might be totally valid for other web applications. There are specific filters such as URLScan (from MS), SecureIIS from eEye and others - which are installed at the web application side rather than at the client side (firewall/proxy/ISA server client side). The reasons for this seems to be that applying input validation at the client side would simply block too many websites which might use these particular characters in a valid way. Therefore the current practice is that web developers have to use script injection detection tools and their application knowledge to find out about these vulnerabilities. I.e. they should audit their own code (or learn about it from full disclosure ;)) Regards David Farinic -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, February 23, 2005 4:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Inline... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: David Farinic [mailto:davidf@xxxxxxx] Sent: Wednesday, February 23, 2005 07:03 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org I never saw any RFC restriction to put "<" ">" out of any URL. [Jim] There are several RFCs that deal with "improper" characters in URLs Anyway it is used on internet (as I mentioned some time ago) therefore restricting it will result in problems. [Jim] It is being improperly used in request URLs - lazy web devs that don't understand the value of POST More security-less features, ratio decision is up to you. [Jim] at least we agree here Additionally Cross site scripting checking has to be done on web server application side not on client side level or client's proxy otherwise it doesn't solve problem. [Jim] absolutely, unequivocally, irrefutably FUD. Script injection requires a client-server relationship or it can't be used. If the client never sends the request to the server, the server can't fall victim to it. Thus, be a good net-neighbor and block it at your outbound proxy. Regards DavidF callto://spaceq ________________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, February 23, 2005 3:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Hi Rob, This should be a good start http://www.faqs.org/rfcs/rfc1630.html Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls ________________________________________ From: Rob Moore [mailto:RMoore@xxxxxxxx] Sent: Wednesday, February 23, 2005 8:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Hey Jim-- Any chance you've had a mo to find these RFCs? I've been looking for them myself with no luck. If you could even just point me to the right place, that would be great. Thanks, Rob This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.