I am beginning what appears to be the daunting task of securing all of my code from injections, XSS, etc. I have been reading about some of it and it is a bit overwhelming. I just wanted to come here and ask for experts' advice on the main things I should be concerned about specifically. There is so much on the Net about all of this I am not sure where to begin and I am sure I will miss something and leave at least one (if not multiple) vulnerabilities in my code, hence, allowing anyone access to my DB/tables. …

Member Avatar
Member Avatar
+0 forum 12

You may be wondering what a superfecta actually is, and the answer is: the most dangerous and serious threat to business. To clarify, the superfecta as defined by secure cloud hosting outfit FireHost is a group of four attack vectors that comprises of Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), SQL Injection and Directory Traversal. Cross-Site Request Forgery (CSRF) is an attack mode that forces the end user to execute an unwanted action on a web application in which they are currently authenticated. Cross-Site Scripting (XSS) involves the insertion of malicious code into webpages in order to manipulate website visitors. …

Member Avatar
Member Avatar
+3 forum 5

Hello, How can we bypass a filter that checks "<>" in order to perform an XSS attack ? Thanks in advance, Begueradj

Member Avatar
+0 forum 0

I am working towards the goal of a social site, however, being a beginner, I have many questions I need to answer before getting anywhere! One of these is in regards to embedable scripts/ web apps/ widgets. I would like to allow the users of the site to upload web apps or wdigets that can be used on blogs and as standalone apps. However, I'm worried about a few things. 1) security (how to avoid sql injection(this one probably isnt much of a worry), xss etc) and also 2) how to go about storing/hosting. I would like to be able …

Member Avatar
Member Avatar
+0 forum 6

How can I prevent a XSS attack but allow user to post iframe and img? My page is php based but I allow users to submit text and have allowed only iframes and imgs with strip_tag How do I prevent a user from launching an xss attack?

Member Avatar
Member Avatar
+0 forum 4

#This is for Laravel 3.*# ## Hello, ## With this snippet I'm providing a simple way to automatically filter `Input::get()` and `Input::old()`. To achieve this result we need to make few changes: * extend Input and Redirect classes by creating new files in `application/libraries/`, the files are: **input.php** and **redirect.php**; * comment the aliases of these classes in `application/config/application.php` file, otherwise the application will ignore the extended libraries. The extended Input class overwrites `Input::query()` so it can use the new method `Input::sanitize()`, which is where you can place your filters, in this example I'm using `filter_var_array()`: public static function sanitize($array) …

Member Avatar
+1 forum 0

Hi. i was wondering if somebody could help me. Im looking for a php function to check a get and post methods for any type of hack or injection i.e. xss php java html mysql injection. the function needs to check the get or post methods prior to using it and checking against the database. would be greatfull if somebody could give me an example on how to achieve this. Thanks

Member Avatar
Member Avatar
+0 forum 2

Hello, I was reading web security stuffs and found that user can inject malicious codes mostly JS in forms. Now, What about CKFinder/TinyMCE et al? They obviously produce html and any stripping will destroy the article formatting. bad enough they have a "code mode" where user can enter html directly. Suppose my system is compromised (which is security thinking), what guards can I put to ensure minimum damage? Thanks :)

Member Avatar
Member Avatar
+0 forum 4

Hi all, This is my first time posting in this forum (disclaimer: please let me know if this is not the right place to post this). I'm turning to the Linux server discussion gurus for some sagely advice :) I have a VPS web server running CentOS with Apache and all the other good web server jazz. The main website hosted on the server is [url]http://jettisonquarterly.com[/url] (IP: [url]http://184.82.106.92[/url]) Lately I've noticed (by stumbling across in a Google search when testing my SEO) that another domain ([url]http://42639104591279053.forth.arraymultisort.info[/url] or really [url]http://any_string.forth.arraymultisort.info/[/url]) is apparently forwarding all requests to my IP address. The reason …

Member Avatar
Member Avatar
+0 forum 5

Hello folks, In short, this code is vulnerable: [CODE] <div class="search"> <form action="/search" method="get" name="header_search"> <label>{l t='Search Business'} <input name="searchtext" type="text" id="searchtext" placeholder="{l t='e.g.Marriott'}" /></label> <label>{l t='City'} <input name="cityname" type="text" id="Hsearchcity" autocomplete="off" placeholder="{l t='All Cities'}" class="commentColor cityname"/> </label> <a onclick="header_search.submit()" href="javascript:void(0)">{l t='Search'}</a> </form> </div>[/CODE] I have been trying to implement unhtmlentities(), or htmlspecialchars() functions with no success, how can it be done please ??

Member Avatar
Member Avatar
+0 forum 21

Sandro Gauci, founder of [URL="http://enablesecurity.com"]EnableSecurity[/URL], has revealed that six years on from his 2002 report into extended HTML form attacks the problem has simply refused to go away. The original report included details of how attackers could abuse non-HTTP protocols in order to launch Cross Site Scripting attacks, even in a situation where the target web application was not itself vulnerable to XSS. This applied to most web browsers at the time. Now, he says, [URL="http://enablesecurity.com/2008/06/18/the-extended-html-form-attack-revisited/"]not much has changed[/URL]. "Six years later I’m releasing an update to this research in this paper. This security vulnerability still affects popular web browsers …

Member Avatar
+0 forum 0

The End.