Re: Reorganisation of newsletter OptInVerifyCodes

Fri, 21 Jan 2011 15:16:42 -0800

Quick answer: are you using a get method with your action (I see these parameters in the URL)? Because this is bad for XSS. We use hidden fields with post. But maybe I completly missed the point ;o) 

Jacques

From: "Sascha Rodekamp" <sascha.rodekamp.lynx...@googlemail.com>

The main issue we focused here, was the fromDate parameter in the URL.

fromDate=2011-01-13 10:46:32.952

It's really bad have a space in the URL isn't it?

2011/1/13 Mirko Vogelsmeier <mirko.vogelsme...@lynx.de>


Hi there,

ive been working on some basic newsletter-signup stuff with OptInCodes.
When accepting an OptInCode the user has to pass through 4 different
variables (OptInCode + 3 primary keys).
Other than this doesnt look nice at all for any given user it reveals some
of our primary keys which has an impact on the security.

This is how my url looks like:

.../updateNewsletterStatus?contactListId=1000&partyId=10020&fromDate=2011-01-13
10:46:32.952&optInVerifyCode=9744644563

I thought about creating an entity with one primary key and 4 foreign keys
(from above url).
The primary key could than be a hash value that is passed through by a
user.
What do you think about this idea?

Greetings,
Mirko



Mirko Vogelsmeier
Auszubildender Fachinformatiker AEW
Lynx-Consulting GmbH
Johanniskirchplatz 6
33615 Bielefeld
Deutschland
Fon: +49 521 5247-0
Fax: +49 521 5247-250
Mobil:


Company and Management Headquarters:
Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de

Court Registration: Amtsgericht Bielefeld HRB 35946
Chief Executive Officers: Karsten Noss, Dirk Osterkamp


----------------------------------------------------------------------------------------------------
This e-mail may contain trade secrets or privileged, undisclosed, or
otherwise confidential information. If you have received this e-mail in
error, you are hereby notified that any review, copying, or distribution of
it is strictly prohibited. Please inform us immediately and destroy the
original transmittal. Thank you for your cooperation.

----------------------------------------------------------------------------------------------------



*****************************************************************************





--
Sascha Rodekamp
   Lynx-Consulting GmbH
   Johanniskirchplatz 6
   D-33615 Bielefeld
   http://www.lynx.de

Reply via email to