"legit" sites need to rethink their web usage. Humungo request URLs are unnecessary and in many cases (like this), irresponsible. At no time was the request URL filter offered as a "be-all, end-all" solution - just a protection for this one attack mechanism (and frankly, the most often used - so the odds are with us, Obi-Wan). You're still arguing the "attack happens at the web server, therefore..", which is incorrect. We're talking about applying a blocking filter at the ISA that serves EBay clients, not EBay web servers (for the record, PayPal is a dangerous, irresponsible outfit). I don't give a rats a$$ if the web site is vulnerable - I do care if I'm part of the attack. My ISA doesn't protect EBay - it protects me from EBay. -----Original Message----- From: David Farinic [mailto:davidf@xxxxxxx] Sent: Thursday, February 24, 2005 5:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org >If you believe that applying the "protection" only at the server side is >enough, then you need to step out of your happy place a bit more often. No I am not saying that. My concern was expressed just for your client side XSS blocking filter for ISA server. Our summary: Positive: 1. Blocks XSS attacks which make use of a parameter in the URL (GET request) at the client side. Negative: 1. Its creating new problems by filtering out "<" and ">". Legit sites are getting blocked. 2. Creating a false sense of security by creating a solution to cross site scripting which prevents only one attack vector a. XSS attacks can be exploited through a POST request b. XSS attacks can be launched through other means than GET or POST request by the victim. Examples: http://eyeonsecurity.org/advisories/YaBB-UBB/adv.htm c. It doesn't make a website secure. If e-bay is vulnerable to XSS and I'm behind your filter, e-bay is still not secure. If e-bay is still not secure, than neither am I because I need to trust e-bay. 3. There are ways to bypass the "<" and ">" filters. Since the vulnerability lies at the web application and not the client, the client cannot know the attack vector to execute the XSS attack. Conclusion: I believe that the bad outweighs the good. Regards David Farinic & Sandro@xxxxxxx -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, February 24, 2005 1:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Script Injections http://www.ISAserver.org Again - nope. If you believe that applying the "protection" only at the server side is enough, then you need to step out of your happy place a bit more often. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.