« | Main | warhol trooper »

August 25, 2005

Someone left a mean message on the guestbook, though we've decided to keep it up for posterity and to set an example of the hatred that people can bring... that, and I lost the password and have to manually edit the database, and I'm not up for that now... so why am I up now? because I was thinking about cross site scripting and problems coming from it -- and obviously solutions for it and ways of helping to prevent it. For those who don't know there's a decent little tutorial here, but the idea is that one client can give a script a (possibly malicious) string which is then processed and ends up in the output of a further page. Then that code can be executed and possibly do bad things... the main problem is that you our taking untrusted information (from a client) and giving it to side-effecting functions such as echo and exec... for example, take this page. There is a very simple exploit in this line:
foreach ($_GET as $key => $val) {
  echo "<tr><td>$key</td><td>";
  if ($val == "jeff" || $val == "alert(123);") {
    echo "<a href=# onclick='javascript:$val'>$val</a>";
  } else {
    echo "<font color=red>omitted</font>";
  }
  echo "</td></tr>";
}
where I stuff whatever the client gives me (as long as it's 'jeff' or 'alert(123);' for my security) into a script that can be executed by clicking on it. So if you click this link
http://jeffpalm.com/code/xss.php?name=jeff
You see that 'jeff' ends up in the link... however if you click this
http://jeffpalm.com/code/xss.php?name=alert(123);
we've now stuffed a little executable code from the input into the output page, and if you click the link under value you get a little javascript executed. Any other variable is skipped, which is the right behavior, but lots and lots of websites have vulnerabilities such as this... anyway, I was thinking about it and continued this morning. I was thinking about it last night, but as the post below explains (and if I wasn't *totally* clear in my explanation, I got drunk at dinner) I didn't get the amount of thinking I wanted last night.... so here I am, blabbering on, which is fine. [Far is on]... I was somewhat saddened to read that Jason Schwartman isn't in Phantom Planet anymore. I had never really listened to them much, but from what I hear they're good, and their 'sounds like' section sounds yummy (a footnote: I was made fun of for using that word yesterday, so I'm using it again). OK. It's tempo run day, and I am done with my nth cup of coffee, so it's time to run.


       [and I'm listening to the new death cab *NOW* ]

ooooo, and here's a histogram of my past blogging activity:
06/2003  **********
07/2003  ***
08/2003  *****
09/2003  ******
10/2003  ***
11/2003  *****
12/2003  ***
01/2004  **********
02/2004  *******
03/2004  *****
04/2004  *******************
05/2004  *********
06/2004  *****
07/2004  *************
08/2004  *****************
09/2004  *************
10/2004  ******************
11/2004  ******************
12/2004  *********
01/2005  **************
02/2005  **********************
03/2005  ***********************************************
04/2005  *************
05/2005  ***************
06/2005  *****************
07/2005  *****************
08/2005  **********************


Posted by jeff at August 25, 2005 05:56 AM