• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: WebObjects and HTML injection
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WebObjects and HTML injection

  • Subject: Re: WebObjects and HTML injection
  • From: Patrick Middleton <email@hidden>
  • Date: Thu, 22 Jul 2010 17:40:46 +0100

On 22 Jul 2010, at 12:49, Anjo Krank wrote:

Why would you "preserve" the session id when it's no longer valid?

Cheers, Anjo



Am 22.07.2010 um 13:28 schrieb Patrick Middleton:

in order to sanitize inputs -- mostly by removing anything containing the likes of '<script'. What do you think?


Preserve the session id when it's no longer valid? Anjo, are you saying my application should have sanitised its inputs?

When I wrote the app I considered how a session ID might not be valid, and what the app would do:
timed out: give a 'timed out' response page
ought to exist, but the instance has crashed and restarted: give a 'timed out' response page
redirected to the wrong instance by the load balancer: give a 'timed out' response page
and so on.

I didn't explicitly preserve the session ID. What I did not consider was someone cooking up an interesting bogus sessionID and then finding a page accessible by a direct action that had some component action URLs on it, so that in the event of the session ID not being valid, I would need to takes steps to ensure it did not appear in the response.

Moreover, while the sessionID is an excellent place to start for anybody probing for security vulnerabilities in a WO app, it's not the only place -- I think every form value, cookie and CGI argument needs to be sanitised.


---
Regards Patrick
OneStep Solutions Plc
www.onestep.co.uk



This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it.

If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system.

Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version.

OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: WebObjects and HTML injection

      • From: Anjo Krank <email@hidden>
      • 

    • Re: WebObjects and HTML injection

      • From: George Domurot <email@hidden>
      • 





References: 


 >WebObjects and HTML injection (From: Patrick Middleton <email@hidden>)


 >Re: WebObjects and HTML injection (From: Anjo Krank <email@hidden>)






    

  • Prev by Date:
OT: Java desktop dev environments

    • 

  • Next by Date:
Re: WebObjects and HTML injection

    • 

  • Previous by thread:
Re: WebObjects and HTML injection

    • 

  • Next by thread:
Re: WebObjects and HTML injection

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •