[ale] restricting web input

Mike Harrison meuon at geeklabs.com
Wed May 6 08:16:04 EDT 2009


On Tue, 5 May 2009, Brian Pitts wrote:

> Paul Cartwright wrote:
>> so, you were here:
>> http://www.snopes.com/medical/toxins/plasticbottles.asp
>> and were able to cut & paste?
>> I'd sure like to know HOW?
>> without viewing page source, I haven't been able to copy anything from snopes.
>> using Iceweasel..
>>
>
> Disable javascript. It's easy to do on a per-site basis as you browse
> using Noscript. [0]

or the web developer toolbar or greasemonkey or .. or..

Do NOT rely ONLY on JavaScript for anything, duplicate the functions
in the code on the server app, detaint, reverify EVERYTHING.
Especially cookies.

I liked the idea of asking for the e-mail address on another page.
Simple, effective.


I have logged into a sites, getting a "valid session id" cookie and a 
"login/user" id as a cookie, and changing the login id and becoming 
someone else..  My favorite was one that "seclevel" and "role"
were also cookies... Sad part: It was an internal website for a
large health care insurance company written in .ASP.

1. The application programmers were using functions that "stored things"
    but they did not have a clue how or where.
    It used a single cookie and stored the name/values in a list.
    This gets by MSIE's 20 cookie issue, and bad coders
    use it to store lots of crap they should not.
    The cookies name:  HIPPA

2. Security was not a concern because it was an INTERNAL site,
    Human Resources Related.... See $3:

3. Drum role please: Some employees had figured this out and were
    raising cain with the system, in hilarious ways. One manager
    kept getting re-enrolled (daily) in 'Sexual Harrassement' training courses.
    One employee apparently enrolled himself in every course in the system.
    took them, got perfect scores on every course and was promoted due
    his excellent self-learning track record. Good news: He kept the job.









More information about the Ale mailing list