This person/company contacted me "out of the blue" about some potential security issues with our online web checking service.
I have addressed the major issues brought up. There was definitely an issue I overlooked that was brought to my attention - which I have fixed.
If anyone is looking for an inexpensive security audit for their site, then you may want to look into this person/company as they seem to offer a great value as far as security audit pricing is concerned. The downside is that English does not appear to be their first/primary language (website is not in English).
Contact info (translated English version):
http://translate.google.com/translate?h ... l=uk&tl=en
Security Audit / Websecurity
-
- Site Admin
- Posts: 3785
- Joined: Sat Dec 11, 2004 9:23 am
- Location: Near Dallas, TX
Security Audit / Websecurity
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
-
- Rank 0 - Newcomer
- Posts: 1
- Joined: Sat Dec 04, 2010 6:19 am
Re: Security Audit / Websecurity
Hello Albert!
In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.
Always attend to security of all of yours web sites, web software and to security audit.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.
Always attend to security of all of yours web sites, web software and to security audit.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
-
- Rank VI - Professional
- Posts: 726
- Joined: Mon Dec 13, 2004 1:50 pm
- Location: Tannhauser Gate
Re: Security Audit / Websecurity
This looks interesting but I didn't initially see enough to get a good handle on it.
What are the reports like? In English? Is there an online sample of what you get?
What are the reports like? In English? Is there an online sample of what you get?
-
- Site Admin
- Posts: 3785
- Joined: Sat Dec 11, 2004 9:23 am
- Location: Near Dallas, TX
Re: Security Audit / Websecurity
Thanks! The cross-site issue should be addressed. I am considering what to do about the weak anti-automation issue.MustLive wrote:Hello Albert!
In addition to previous vulnerabilities, today I wrote you about new vulnerabilities at your site. These are Cross-Site Scripting (WASC-08) and Insufficient Anti-automation (WASC-21) vulnerabilities.
For people who might be interested in more details, I use PHP and was using something like this:
Code: Select all
<input id="subject" value="<?php echo($subject); ?>" name="subject" type="text">
Code: Select all
<input id="subject" value="<?php echo(htmlspecialchars($subject)); ?>" name="subject" type="text">
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
-
- Rank VI - Professional
- Posts: 726
- Joined: Mon Dec 13, 2004 1:50 pm
- Location: Tannhauser Gate
Re: Security Audit / Websecurity
Thanks for that Albert.
I don't use PHP a lot, can you confirm I've got this right.
On your server somehow the variable $subject could contain code. So you encode the result which will disable any script links (< goes to < etc.).
This is not a direct vulnerability but a mechanism through which a compromised "variable/mutable-element" can be deployed.
I don't use PHP a lot, can you confirm I've got this right.
On your server somehow the variable $subject could contain code. So you encode the result which will disable any script links (< goes to < etc.).
This is not a direct vulnerability but a mechanism through which a compromised "variable/mutable-element" can be deployed.
-
- Site Admin
- Posts: 3785
- Joined: Sat Dec 11, 2004 9:23 am
- Location: Near Dallas, TX
Re: Security Audit / Websecurity
Hi Mike,
Yep, that sounds right.
An end user could potentially set $subject to something like this:
Which would result in the output:
Which would cause the script to execute on the user's browser.
I suppose it could be used to insert nefarious code from another site and make it look like it was from our site.
Just have to remember to always use that htmlspecialchars() function wherever needed!
Yep, that sounds right.
An end user could potentially set $subject to something like this:
Code: Select all
"><script>... do something ...</script>
Code: Select all
<input id="subject" value=""><script>... do something ...</script>" name="subject" type="text">
I suppose it could be used to insert nefarious code from another site and make it look like it was from our site.
Just have to remember to always use that htmlspecialchars() function wherever needed!
Albert Wiersch, CSS HTML Validator Developer • Download CSS HTML Validator FREE Trial
-
- Rank VI - Professional
- Posts: 726
- Joined: Mon Dec 13, 2004 1:50 pm
- Location: Tannhauser Gate
Re: Security Audit / Websecurity
I see more of the scenario you're looking at.
Thanks.
The first line of defence then, is that process that takes user input and defuses some potential hacks. (Like that code you write to make sql injection fail.)
Thanks.
The first line of defence then, is that process that takes user input and defuses some potential hacks. (Like that code you write to make sql injection fail.)