Messages
Reply
Edit
Delete08:13 am
3PI0HMRJT
| From: | Ron Wilson |
| To: | Marty Cantwell |
Thanks,
Ron
Hey Ron,
Can you tell how the code snippet is getting returned back to the client? For example, do you include the URL that was called origionally as part of the error message returned?
Marty
Hi Rick,
I have been a log time customer, I have an application that I wrote in 2005 that is still running today, Thank you for the Great Product.
Recently my customer has put my application under a security review. They spent two weeks pounding on it with some pretty powerful tools. They are a fortune 100 company.
A strong testament to your product and I guess my implementation of it, is that they only found 1 issue.
The issue is that if the URL gets hi-jacked after leaving their server and before reaching my server and java script is added to the url I return that javascript in my response to the user.
There are four parameters in the URL, the JavaScript causes an error in my application and I return an Error page in the result with the response.standardpage method.
The issue is I am returning the JavaScript back to the end user from my response. Currently I am using the response.redirect method to exit the request in the event that it contains JavaScript.
How can I replace the URL when I push a response with a URL that i have parsed any code based characters like <>();[]|.
An example would be:
The security review escalate two team members. It was interesting to watch all that they tried. No confidential information was acquired in all of the testing. Due to the size limitations of the URL and the required parameters of the application the amount of JavaScript that the URL could contain is very limited. But they found this to be a High risk flaw.
I am using version 4.6, I know I need to upgrade, It has worked flawlessly!
Any help you could be to resolve this issue would be greatly appreciated.
Thanks,
Ron