[nycphp-talk] Web app security scanners
inforequest
1j0lkq002 at sneakemail.com
Wed Apr 19 15:24:33 EDT 2006
Dan Cech dcech-at-phpwerx.net |nyphp dev/internal group use| wrote:
>max wrote:
>
>
>>Well, i personally use switch() to filter main input (like index.php?section=about)
>>and then everything thats GET or POST goes into addslashes and either has html/script things stripped, or converted to htmlentities.
>>if you look at preg_replace on php.net manual, you'll find some examples on how to strip html/script tags easily.
>>This audit was still usefull in my opinion. Its good to be able to see what someone who charges, and apparently successfully, for their scanning software would do to simulate real attacks.
>>Obviously, i can google for XSS, and I have, but another set of eyes is always great.
>>
>>
>>2c...
>>
>>
>
>When you get right down to it, if you use the basic precautions laid out
>in the relevant PHundamentals article
>(http://www.nyphp.org/phundamentals/storingretrieving.php), you will not
>need to 'strip' or 'filter' input to avoid breaking the application itself.
>
>There are very few reasons to strip or filter data:
>
>* if you need to echo user input to the browser as HTML, in which case
>best practice would be to vet the tags using a whitelist approach
>
>* if you are enforcing business rules (allowed values for a field, etc)
>
>* if you are outputting data to other systems (eg sending email headers)
>
>Provided you treat the data correctly, your program will see it as just
>that, data, regardless of the content. If certain input would break
>your system, it is the system which should be changed, not the data.
>
>Dan
>
Hey Dan I totally agree with you, but I also note that errors are made
and systems are often coded by multiple people most of whom do not have
the time to read through all of the code before adding or making changes
to part of the code. So in the name of "robustness" isn't it still a god
idea to sanitize everything? I think an optimization step might be to
remove uneeded sanitization, but it seems to be a relatively low-cost
safe practice to me.
-=john andrews
http://www.seo-fun.com
More information about the talk
mailing list