[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Cross Site Scripting

From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Cross Site Scripting
Date: Thu, 20 Sep 2007 14:38:40 -0500

--==========FCCFA46DE221CE47B2D1==========
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Thursday, September 20, 2007 18:07:50 +0000 "Hoffman, Billy"=20
<billy.hoffman@hp.com> wrote:
>
> Recently I=E2=80=99ve been trying to think of a better way for the =
average Joe
> to understand Blacklists/whitelist. I used to talk about metal detectors
> at airports, and how they are a blacklist for metal. As soon as
> terrorists decide they can use ceramic knives, your metal detector stops
> working. Unfortuantely this analogy freaks people out, and I really
> don=E2=80=99t have a good real-world equivalent for whitelist input =
validation.
> Do you just get naked at the airport? J
>
How about this?

Blacklist - do not bring knives, scissors, fluids over 4 ounces, etc., etc.
Whitelist - you can only bring valid US coins and currency, keys and a cell =

phone.  Everything else is disallowed.

--=20
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========FCCFA46DE221CE47B2D1==========
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64

MIIOcQYJKoZIhvcNAQcCoIIOYjCCDl4CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCC98wggT4MIIEYaADAgECAhBIB7+qrKAmWL/mJXNkT/XNMA0GCSqGSIb3
DQEBBAUAMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0
ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRl
cm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5
MTIwMAYDVQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2Ny
aWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFz
IENBMB4XDTA3MDIwNjAwMDAwMFoXDTA4MDIwNjIzNTk1OVowejERMA8GA1UEChMI
VVREYWxsYXMxEzARBgNVBAsTClJpY2hhcmRzb24xEzARBgNVBAMTClJlY2lwaWVu
dHMxOzA5BgNVBAMTMnBhdWxzICgxMDAwMDAxNjI3LCBUaGUgVW5pdmVyc2l0eSBv
ZiBUZXhhcyBTeXN0ZW0pMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDN29IK
lK9bHv2tRj5T3/5IENY0vq7Dvpiat7gQTAdN8CPrkhkV+OXCBTxdap/vFP00hjjW
SE0hog3A6LygEreAgYiAfP4MZxa9UzpmX0AJ1NWrLO5NQk3zwh0Gd/OHDgz9u5CH
a3V8GuzHXJlBanO7gB8ZPDBHab05D/+Ai2wGMwIDAQABo4ICDDCCAggwCQYDVR0T
BAIwADAdBgNVHREEFjAUgRJwYXVsc0B1dGRhbGxhcy5lZHUwggEkBgNVHSAEggEb
MIIBFzCCARMGC2CGSAGG+EUBBwEGMIIBAjArBggrBgEFBQcCARYfaHR0cHM6Ly93
d3cudmVyaXNpZ24uY29tL3JwYS1rcjCB0gYIKwYBBQUHAgIwgcUagcJOT1RJQ0U6
IFByaXZhdGUga2V5IG1heSBiZSByZWNvdmVyZWQgYnkgVmVyaVNpZ24ncyBjdXN0
b21lciB3aG8gbWF5IGJlIGFibGUgdG8gZGVjcnlwdCBtZXNzYWdlcyB5b3Ugc2Vu
ZCB0byBjZXJ0aWZpY2F0ZSBob2xkZXIuICBVc2UgaXMgc3ViamVjdCB0byB0ZXJt
cyBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhLWtyIChjKTk5LjARBglg
hkgBhvhCAQEEBAMCB4AwdQYDVR0fBG4wbDBqoGigZoZkaHR0cDovL29uc2l0ZWNy
bC52ZXJpc2lnbi5jb20vVGhlVW5pdmVyc2l0eW9mVGV4YXNTeXN0ZW1UaGVVbml2
ZXJzaXR5b2ZUZXhhc2F0RGFsbGFzQ0EvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBAMC
B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBAUA
A4GBAL0nhmnJ705/qLpPhEF5xNihb4w4wpJR/+MwPW6KamgBVeyE8/YlzCvUVAfI
idBkAEsgeVbD4/BSFkPE/rNTVqF3tCpI/CxZLJD3cLLyPPoUVwomCOYqKnDZFLoR
lUyp+40ZjjA0Pn9HqL658EKgmD0rOmPJ4Brmc1f4VZ3HQYrPMIID2DCCA0GgAwIB
AgIQQewfPacUB5bE9tUM3dEPZTANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQLEzNDbGFzcyAyIFB1
YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIxOjA4BgNV
BAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmswHhcNOTkwMzMx
MDAwMDAwWhcNMDkwMzMwMjM1OTU5WjCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNp
dHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNp
Z24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAtIE9uU2l0ZSBJ
bmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5IG9m
IFRleGFzIGF0IERhbGxhcyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
v+rvh+seCsEA+SIRwdHBzNt62r420nBgMGDlGeBTLzX0yagpBdbePZ3zBppkfb7R
h1R4m/+iePH7h6vD/IdMwklBDeHA0qXX/H7/QlFOdPMB1WhzpV0EMfjmKSVjqCOa
RGqBiw+wOfHv20ZYw7q4z0vzesGiSZWDI0O6mxqPMoUCAwEAAaOBpTCBojApBgNV
HREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMS0xNDAwEQYJYIZIAYb4
QgEBBAQDAgEGMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEwKjAoBggrBgEFBQcC
ARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL1JQQTAPBgNVHRMECDAGAQH/AgEA
MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQBTCbXcsraJ0SBQg8k4edzI
CLJJv7hTg2+KzLLkenz8o+gPX2FeX5cElRJa0pUBIvG87fFUtlSmVBihnVS8BmkE
xwIhN6KCOYinrKCf6IMZXZJIORpZgiQgQ7yGlRLcg3Th5uMTvmqkhwAxMSMHJZuv
uixRkQ5ZpqMXiNK0zlQXHDCCAwMwggJsAhEAuS9gzIifoXpGCbhbcGyKrzANBgkq
hkiG9w0BAQUFADCBwTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJ
bmMuMTwwOgYDVQQLEzNDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRp
b24gQXV0aG9yaXR5IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJ
bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWdu
IFRydXN0IE5ldHdvcmswHhcNOTgwNTE4MDAwMDAwWhcNMjgwODAxMjM1OTU5WjCB
wTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTwwOgYDVQQL
EzNDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzIxOjA4BgNVBAsTMShjKSAxOTk4IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1
dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdv
cmswgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKeIASF0LOcaA/CY4Zc8DyEI
8Zzbl+ma/MIEBhO+X1LIzB4sElYsuAFpLMyZH62wlq55BPITOcF7mLoILOjChBMs
qmnpCfTHqQKkQsIjT0rY8A6i+zFsyeZvmScH9eb0THiebetGhvq5hslU8rLEr9RG
HFrJFTD/DWz1LQ5tzn93AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAci75f9HxcfvE
nvbFXlGKQJi4aPibHIPY4p29/+2h5mbqLwn0ytfqpSuV9iRghk1ELoOlxC2g0654
aW9y2myuCPBjkjfmu8QwF613zEk1qs/Yj9G+txiWR3NqVCI0ZC22FptZW7RRWTqz
CxT0Et9noPStMmResUZyJ4wSe8VEtK4xggJaMIICVgIBATCB/zCB6jEnMCUGA1UE
ChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3Mg
MiBDQSAtIE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRo
ZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQSAe/qqygJli/5iVz
ZE/1zTAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTA3MDkyMDE5Mzg0MFowIwYJKoZIhvcNAQkEMRYEFKpULG9q
95mGDP+/x8yJJidmU0MnMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYI
KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC
AgEoMA0GCSqGSIb3DQEBAQUABIGASTWtOTdZ+F1p9W2KzxPcTewCjA6grmVLRzI1
Fsx2NoCLdw4Nze6qmZ9gPEolJMwzhAwBdh56epGcRz1PfNoOzU7LPAvLX+8bKXC4
HQfCkog9rHwRUghvvsDbhxL8AM/43mSxXzVkjRnU97TG3otFk2M/sD/jPVJ7veVY
3IGKZ4E=

--==========FCCFA46DE221CE47B2D1==========--

Follow-Ups:
- Re: [WEB SECURITY] Cross Site Scripting
  - From: Daniel Papasian
- Re: [WEB SECURITY] Cross Site Scripting
  - From: Arian J. Evans

References:
- RE: [WEB SECURITY] Cross Site Scripting
  - From: Hoffman, Billy

Prev by Date: Re: [WEB SECURITY] Cross Site Scripting
Next by Date: [WEB SECURITY] Open source WYSIWYG editors/Frameworks
Previous by thread: Re: [WEB SECURITY] Cross Site Scripting
Next by thread: Re: [WEB SECURITY] Cross Site Scripting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site