Sunday 15 April 2012

Security out of the box

A small experiment. Take the following simple HTML file which allows a user to enter a value in a HTML form and submit it:
<HTML>
<BODY> 
<BR>

<BR><BR>
Submit something:
<BR>
<FORM method="post">
   <input type="text" size="100" name="namexss" ><br>
   <input type="submit" name="submit" value="Submit Form"><br>
</FORM>

</BODY> 
</HTML>

PHP

 If you name this file  testxss1.php and execute it using a simple XSS type attack as shown
When you press Submit Form, the form is accepted and PHP doesn't complain.

ASP.NET

If you name this file testxss1.aspx and execute it using the same XSS attack string, you will get a nice error:
Asp.net recognizes that an XSS attack was attempted and per default blocks it.

Conclusion

It shows how different frameworks offer different levels of security"out of the box". This is the exact same file. But run it through asp.net and you get better XSS protection.  It's important that you understand the security features that your chosen technologies offer you.


These tests used default versions of  asp.net version 4 and php version 5.3.3 installed locally on IIS. It is not very scientific and is not intended to show that any framework is better than another. The aim is to show that different products support security in different manners and that development teams need to understand their specific chosen products.

 




Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a Comment