[Owasp-turkey] html/js enjeksiyonu

Bedirhan Urgun urgunb at hotmail.com
Wed Nov 7 09:34:00 EST 2007


 
Merhaba,
diyelim ki asagidaki gibi bi program parcam var (herhangi baska bi dilde de olabilirdi, bu seferlik java olsun);
 
private String filterText(String filterMe){    String filteredMe = "";  int index = 0;
  while(index < filterMe.length()){ if(  filterMe.charAt(index) == '(' || filterMe.charAt(index) == ')' ||  filterMe.charAt(index) == '\' || filterMe.charAt(index) == ' ' ||  filterMe.charAt(index) == '@' || filterMe.charAt(index) == '+' ||  filterMe.charAt(index) == '&' || filterMe.charAt(index) == '^' ||  filterMe.charAt(index) == '.' || filterMe.charAt(index) == ',' ||  filterMe.charAt(index) == ':' || filterMe.charAt(index) == '-' ||  (filterMe.charAt(index) >= 'a' || filterMe.charAt(index) <= 'z') ||  filterMe.charAt(index) == '*' || filterMe.charAt(index) == '%' ||  filterMe.charAt(index) == '_' || filterMe.charAt(index) == '/' ||  filterMe.charAt(index) == '?' ||  (filterMe.charAt(index) >= '0' || filterMe.charAt(index) <= '9')   )  filteredMe += filterMe.charAt(index); index++;  }
  return filteredMe;}
 
ve sayfalarimda asagidaki gibi parcalar var;
 
1. html icinde;
...<p><%= request.getParameter("paramForFilterMe");%></p>
...
 
2. <script> taglari icinde;...
function myFunc(){ myObj.test = "<%= request.getParameter("paramForFilterMe"); %>";
 // ...}
...
 
paramForFilter parametresi denetim amacli olarak sadece en yukaridaki filterMe metodundan gecsin. Simdiye kadar cozmussunuzdur ama sorum:
 
1 ve 2 parcalari icin html/js enjeksiyon durumu nedir?
 
P.S: Yukaridaki kodlar tamamiyla hayalidir. :)
 
bedirhan
_________________________________________________________________
Windows Live Hotmail and Microsoft Office Outlook – together at last.  Get it now.
http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20071107/8242e50e/attachment.html 


More information about the Owasp-turkey mailing list