RE: Script Injections

• From: "David Farinic" <davidf@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 23 Feb 2005 18:30:04 +0100

>[Jim] absolutely, unequivocally, irrefutably FUD.  Script injection 
>requires a client-server relationship or it can't be used.
>If the client never sends the request to the server, the server can't fall 
>victim to it.  Thus, be a good net-neighbor and block it at your outbound 
>proxy.

Client can have several legitimate (RFC valid) encapsulations methods to send 
script injection within HTTP request or with HTTP payload. Blocking "<" ">"is 
just not enough as there are other methods """to inject script""". 

 

Only receiving web application can determine what data types are good/valid as 
malicious input for 1 web application might be totally valid for other web 
applications. 

 

There are specific filters such as URLScan (from MS), SecureIIS from eEye and 
others - which are installed at the web application side rather than at the 
client side (firewall/proxy/ISA server client side). The reasons for this seems 
to be that applying input validation at the client side would simply block too 
many websites which might use these particular characters in a valid way. 

 

Therefore the current practice is that web developers have to use script 
injection detection tools and their application knowledge to find out about 
these vulnerabilities. I.e. they should audit their own code (or learn about it 
from full disclosure ;))

Regards David Farinic

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Wednesday, February 23, 2005 4:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org

Inline...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: David Farinic [mailto:davidf@xxxxxxx] 
Sent: Wednesday, February 23, 2005 07:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org


I never saw any RFC restriction to put "<" ">" out of any URL.
[Jim] There are several RFCs that deal with "improper" characters in URLs

Anyway it is used on internet (as I mentioned some time ago) therefore 
restricting it will result in problems. 
[Jim] It is being improperly used in request URLs - lazy web devs that don't 
understand the value of POST

More security-less features, ratio decision is up to you.
[Jim] at least we agree here

Additionally Cross site scripting checking has to be done on web server 
application side not on client side level or client's proxy otherwise it 
doesn't solve problem.
[Jim] absolutely, unequivocally, irrefutably FUD.  Script injection requires a 
client-server relationship or it can't be used.
If the client never sends the request to the server, the server can't fall 
victim to it.  Thus, be a good net-neighbor and block it at your outbound proxy.

Regards DavidF
callto://spaceq

________________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Wednesday, February 23, 2005 3:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections

http://www.ISAserver.org
Hi Rob,
 
This should be a good start
 
http://www.faqs.org/rfcs/rfc1630.html
 
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
 

________________________________________
From: Rob Moore [mailto:RMoore@xxxxxxxx] 
Sent: Wednesday, February 23, 2005 8:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Script Injections
http://www.ISAserver.org
Hey Jim--
 
Any chance you've had a mo to find these RFCs? I've been looking for them 
myself with no luck. If you could even just point me to the right place, that 
would be great.
 
Thanks,
Rob


  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI 
FAXmaker), and network security and management software (GFI LANguard) - 
www.gfi.com 

Other related posts:

• » Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections
• » RE: Script Injections

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---