Must reading:
http://www.owasp.org/documentation/topten.html
Welcome to the OWASP Top Ten Project
The OWASP Top Ten provides a minimum standard for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. There are currently versions in English, French, Japanese, and Korean. A Spanish version is in the works. We urge all companies to adopt the standard within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote:
Hi Roland,
This is very unlikely; it is more likely that they would try to add sql statements in the input field.
First of the data type constraints off the database field would probably
either prevent the saving of the offensive code and will most likely
truncate it.
Even if there is supposedly evil script saved in the data, when pulled from
the database it is not being viewed in a manner that will execute it.
Plus, most firewalls and antivirus servers and client will block in the unlikely event that the script is intact.
I have had this attempt happen to me, but the hacker didn't realize that the
form didn't save to the database but was just emailed to me. I have view the
code in Outlook without any issues.
Ben Johansen
-----Original Message----- From: Roland Dumas [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 8:15 PM To: [EMAIL PROTECTED] Subject: Witango-Talk: Security question
Have a client who is asking questions about security. Specifically, if there
is a field that is entered via web form and then placed in a database, is
there the possibility that evil scripts can be submitted that will do evil
things either to the database or to a user reading the content of that
column?
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
_______________________________________________________________________ _
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
