[Owasp-board] Banner Ads

Jeff Williams jeff.williams at owasp.org
Wed Jul 21 19:02:46 UTC 2010


Hans,

Sorry I can't be on the call. Thanks so much for pitching in.  The basic
problem is simple.  The application is taking user input and using it as the
target of a redirect response.  An attacker could abuse this by creating an
owasp.org URL that redirects users to malware.

One solution is to replace the parameter containing the target with a
placeholder, like "1", that can be used as an index into a list or map of
legit URLs on the server.  So you might have "sitea.org", "siteb.org" and
sitec.org" in the list.  You put site=1 in the URL when you want to go to
sitea.org, site=2 for siteb.org, etc... The attacker has nothing to attack.

Thanks again. 

--Jeff

Jeff Williams, Chair
The OWASP Foundation
work: 410-707-1487
main: 301-604-4882

-----Original Message-----
From: Hans Zaunere [mailto:hans.zaunere at nyphp.com] 
Sent: Wednesday, July 21, 2010 2:01 PM
To: Laurence Casey; Laurence Casey; 'Tom Brennan'
Cc: jeff.williams at owasp.org; matt.tesauro at owasp.org; alison at owasp.org;
owasp-board at lists.owasp.org
Subject: RE: [Owasp-board] Banner Ads

I can make this work but please reach me on 646 736 1300

H

> -----Original Message-----
> From: Laurence Casey [mailto:larry.casey at owasp.org]
> Sent: Wednesday, July 21, 2010 2:01 PM
> To: Hans Zaunere; Laurence Casey; 'Tom Brennan'
> Cc: jeff.williams at owasp.org; matt.tesauro at owasp.org; alison at owasp.org;
> owasp-board at lists.owasp.org
> Subject: RE: [Owasp-board] Banner Ads
> 
> Hans,
> 
> I can talk at 2PM, which is right now:) If we wait until 5PM, I may be
> in
> the car driving. Either way works for me. Jeff will not need to be in
> on the
> call.
> 
> 301-604-4882
> 
> -----Original Message-----
> From: Hans Zaunere [mailto:hans.zaunere at nyphp.com]
> Sent: Tuesday, July 20, 2010 7:46 PM
> To: Laurence Casey; Tom Brennan
> Cc: larry.casey at owasp.org; jeff.williams at owasp.org;
> matt.tesauro at owasp.org;
> alison at owasp.org; owasp-board at lists.owasp.org
> Subject: RE: [Owasp-board] Banner Ads
> 
> > We could discuss what we would like to see happen to fix the problem.
> > I am free all this week. Can you suggest a time and we will see if
> > Jeff can join in ?
> 
> How would 2pm or 5pm EDT tomorrow, Wed. work?
> 
> Do you have any written requirements yet?  Is it a problem/bug or
> functional
> changes?
> 
> > You asked for access to the server in order to make the change. This
> > is a live server and it would be preferred that changes be made on a
> > local box. We are using the source directly from OpenX. I can dump
> the
> > database so you have a quick setup on a local machine if you would
> > like?
> 
> We could work on our development server, but would need your current
> codebase and the relevant database dumps.  If there are other
> developers
> making changes on the site, we'd need to figure out the best way to
> push
> changes back live.
> 
> H
> 
> 
> 





More information about the Owasp-board mailing list