[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] How to avoid XSS into PDF Files, using java

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] How to avoid XSS into PDF Files, using java
Date: Fri, 18 May 2007 17:11:38 -0400

On 5/18/07, Cruz, Edwin (GE, Corporate, consultant) <edwin.cruz@xxxxxx> wrote:

I have to create a routine that verify the content of a PDF File uploaded
throughout an html Form. I check the content type, but if some malicious xss
code is inserted into that PDF file, it is not detected. I'd like to know if
there is a known way to avoid this problem. Should I use the java pdf
library to verify the content??? I know that I could avoid the problem if I
send a content disposition into the headers, but I can not do it.

Any suggestions are wellcome


You could host the file using a different virtual hostname, to limit
the damage that XSS could do to your site.  If you use domain cookies
for anything you'd need a different DNS domain as well.

Regards,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] POST arbitarily changed to GET after form submission
  - From: John Gosling
- [WEB SECURITY] How to avoid XSS into PDF Files, using java
  - From: Cruz, Edwin \(GE, Corporate, consultant\)

Prev by Date: RE: [WEB SECURITY] How to avoid XSS into PDF Files, using java
Next by Date: [WEB SECURITY] OWASP Top 10 2007 Released
Previous by thread: [WEB SECURITY] How to avoid XSS into PDF Files, using java
Next by thread: RE: [WEB SECURITY] POST arbitarily changed to GET after form submission
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site