Sunday 15 April 2012

Security out of the box

A small experiment. Take the following simple HTML file which allows a user to enter a value in a HTML form and submit it:

Submit something:
<FORM method="post">
   <input type="text" size="100" name="namexss" ><br>
   <input type="submit" name="submit" value="Submit Form"><br>



 If you name this file  testxss1.php and execute it using a simple XSS type attack as shown
When you press Submit Form, the form is accepted and PHP doesn't complain.


If you name this file testxss1.aspx and execute it using the same XSS attack string, you will get a nice error: recognizes that an XSS attack was attempted and per default blocks it.


It shows how different frameworks offer different levels of security"out of the box". This is the exact same file. But run it through and you get better XSS protection.  It's important that you understand the security features that your chosen technologies offer you.

These tests used default versions of version 4 and php version 5.3.3 installed locally on IIS. It is not very scientific and is not intended to show that any framework is better than another. The aim is to show that different products support security in different manners and that development teams need to understand their specific chosen products.


Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a Comment