RE: Script Injections

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 25 Feb 2005 08:06:18 -0800

Here y'go:
http://www.ietf.org/rfc/rfc1945.txt
http://www.ietf.org/rfc/rfc2396.txt
http://www.ietf.org/rfc/rfc1738.txt
http://www.ietf.org/rfc/rfc2616.txt

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Rob Moore [mailto:RMoore@xxxxxxxx] 
Sent: Thursday, February 24, 2005 06:45
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org

More importantly--what about those RFCs??

Rob 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, February 24, 2005 9:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org

"legit" sites need to rethink their web usage.  Humungo request URLs are
unnecessary and in many cases (like this), irresponsible.

At no time was the request URL filter offered as a "be-all, end-all"
solution - just a protection for this one attack mechanism (and frankly,
the most often used - so the odds are with us, Obi-Wan).

You're still arguing the "attack happens at the web server,
therefore..", which is incorrect.
We're talking about applying a blocking filter at the ISA that serves
EBay clients, not EBay web servers (for the record, PayPal is a
dangerous, irresponsible outfit).
I don't give a rats a$$ if the web site is vulnerable - I do care if I'm
part of the attack.
My ISA doesn't protect EBay - it protects me from EBay.

-----Original Message-----
From: David Farinic [mailto:davidf@xxxxxxx]
Sent: Thursday, February 24, 2005 5:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org

>If you believe that applying the "protection" only at the server side
is
>enough, then you need to step out of your happy place a bit more often.

No I am not saying that.

My concern was expressed just for your client side XSS blocking filter
for ISA server.

Our summary:

Positive:

1. Blocks XSS attacks which make use of a parameter in the URL (GET
request) at the client side. 

 
Negative:

1. Its creating new problems by filtering out "<" and ">". Legit sites
are getting blocked.

2. Creating a false sense of security by creating a solution to cross
site scripting which prevents only one attack vector

      a. XSS attacks can be exploited through a POST request

      b. XSS attacks can be launched through other means than GET or
POST request by the victim. Examples:
http://eyeonsecurity.org/advisories/YaBB-UBB/adv.htm

      c. It doesn't make a website secure. If e-bay is vulnerable to XSS
and I'm behind your filter, e-bay is still not secure. If e-bay is still
not secure, than neither am I because I need to trust e-bay. 

3. There are ways to bypass the "<" and ">" filters. Since the
vulnerability lies at the web application and not the client, the client
cannot know the attack vector to execute the XSS attack. 
 

Conclusion:

I believe that the bad outweighs the good.

Regards David Farinic & Sandro@xxxxxxx

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, February 24, 2005 1:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org

Again - nope.

If you believe that applying the "protection" only at the server side is
enough, then you need to step out of your happy place a bit more often.
-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server
(GFI FAXmaker), and network security and management software (GFI
LANguard) - www.gfi.com 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---