Comments on: Some simple XSS Attacks by Example http://ericfarraro.com/?p=8 Software development in the daily life of Eric Farraro Sun, 05 Sep 2010 17:04:40 +0000 http://wordpress.org/?v=2.0.4 by: Matt http://ericfarraro.com/?p=8#comment-2106 Tue, 12 Dec 2006 23:19:38 +0000 http://ericfarraro.com/?p=8#comment-2106 Not sure inserting javascript (client side code) into the html is the best example of the security issues on this but I guess the point is made. Not sure inserting javascript (client side code) into the html is the best example of the security issues on this but I guess the point is made.

]]> by: GraemeL http://ericfarraro.com/?p=8#comment-96 Thu, 28 Sep 2006 11:16:32 +0000 http://ericfarraro.com/?p=8#comment-96 As Vijay says, you must perform all validation and sanitization on the server side, even if you (think) you've already done it on the client. Every programmer should know the three golden rules for programming on the web: Rule 1: Never trust the client. Rule 2: Never trust the client. Rule 3: Never trust the client. As Vijay says, you must perform all validation and sanitization on the server side, even if you (think) you’ve already done it on the client.

Every programmer should know the three golden rules for programming on the web:

Rule 1: Never trust the client.
Rule 2: Never trust the client.
Rule 3: Never trust the client.

]]> by: Computer Science Canada Blog » XSS and SQL Injections from user input http://ericfarraro.com/?p=8#comment-94 Thu, 28 Sep 2006 03:17:16 +0000 http://ericfarraro.com/?p=8#comment-94 [...] Having been stressing online forms of my fellow developers at work, and reading Eric Farraro's posts on Cross Site Scripting and his recent Google exploit, I figured just how important user input validation is, and the need to emphasise that. [...] […] Having been stressing online forms of my fellow developers at work, and reading Eric Farraro’s posts on Cross Site Scripting and his recent Google exploit, I figured just how important user input validation is, and the need to emphasise that. […]

]]> by: Vijay http://ericfarraro.com/?p=8#comment-87 Mon, 25 Sep 2006 15:34:32 +0000 http://ericfarraro.com/?p=8#comment-87 Basically all client side validations are useless, we can override them with ease. Either by modifying the page content using javascript, or by writing a program that does a direct POST to the form processor. All error processing needs to be shifted to server side, if you really wan't a 'secure' site. Client side validation is only to improve user experience. That is where AJAX can come to help, doing realtime validation without page reloads, yet doing it on the server side. Also we should check for %XX characters in the fields. If '' is blocked, some hackers may get around using %3C or %3E. Basically all client side validations are useless, we can override them with ease. Either by modifying the page content using javascript, or by writing a program that does a direct POST to the form processor. All error processing needs to be shifted to server side, if you really wan’t a ’secure’ site. Client side validation is only to improve user experience. That is where AJAX can come to help, doing realtime validation without page reloads, yet doing it on the server side. Also we should check for %XX characters in the fields. If ‘’ is blocked, some hackers may get around using %3C or %3E.

]]> by: Tony http://ericfarraro.com/?p=8#comment-86 Mon, 25 Sep 2006 13:09:57 +0000 http://ericfarraro.com/?p=8#comment-86 the ideas mentioned here are very similar to to SQL injection techniques, just substitute JavaScript for SQL. The bottom line is that all user input needs to be sanitized and checked. So - any suggestions for a 'secure' site that doesn't severely limit use experience? I used to have a LiveJournal blog until I got fed up with them turning everything off, and just installed my own WordPress. (Btw, Opera browser also allows one to edit page's contents and reload it from cache, just not as graphical as Firefox's plugin) the ideas mentioned here are very similar to to SQL injection techniques, just substitute JavaScript for SQL. The bottom line is that all user input needs to be sanitized and checked.

So - any suggestions for a ’secure’ site that doesn’t severely limit use experience? I used to have a LiveJournal blog until I got fed up with them turning everything off, and just installed my own WordPress.

(Btw, Opera browser also allows one to edit page’s contents and reload it from cache, just not as graphical as Firefox’s plugin)

]]>