securing client POSTs

TheMSsForum.com: The Microsoft Software Forum

This is a multi-part message in MIME format.

------=_NextPart_000_0056_01C46995.9DCE19B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

hi
someone could send to my server
invalid or malicious POSTs packets
THEN:
i go to validate "every" field
i will get with "Request".Form or Cookie
does it is appropriate ?=20

and...
if an attacker append to the post=20
"MyField" with its value
(surely a value that can break the service)
is the web server (IIS)
capable to ignore the field?
or could it be dangerous?

thanks

--=20
atte,
Hern=E1n Castelo
SGA - UTN - FRBA

------=_NextPart_000_0056_01C46995.9DCE19B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ebf3fc>
<DIV><FONT face=3DArial size=3D2>hi</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>someone could send to my =
server</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>invalid or malicious POSTs =
packets</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>THEN:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>i go to validate "every" =
field</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>i will get with "Request".Form or=20
Cookie</FONT><FONT face=3DArial size=3D2></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>does it is appropriate =
?&nbsp;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>and...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>if an attacker </FONT><FONT =
face=3DArial=20
size=3D2>append to the post&nbsp;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>"MyField" </FONT><FONT face=3DArial =
size=3D2>with its=20
value</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>(surely a value that can break the=20
service)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>is the web server (IIS)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>capable to ignore the =
field?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>or could it be dangerous?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>thanks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>-- <BR>atte,<BR>Hern=E1n =
Castelo<BR>SGA - UTN -=20
FRBA<BR></DIV></FONT></BODY></HTML>

------=_NextPart_000_0056_01C46995.9DCE19B0--
Top

Re: securing client POSTs by S

S
Thu Jul 15 04:51:43 CDT 2004

Please do not crosspost.
Yes, server-side input validation is crucial for secure Web applications.
You can filter out many probes by implementing URLscan on the server - but
for precise control, like in your MyField example, IIS or generic tools
can't help and you have to secure the application.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
.
"Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
news:OFan15aaEHA.3516@TK2MSFTNGP10.phx.gbl...
hi
someone could send to my server
invalid or malicious POSTs packets
THEN:
i go to validate "every" field
i will get with "Request".Form or Cookie
does it is appropriate ?

and...
if an attacker append to the post
"MyField" with its value
(surely a value that can break the service)
is the web server (IIS)
capable to ignore the field?
or could it be dangerous?

thanks

--
atte,
Hernán Castelo
SGA - UTN - FRBA


Top

Re: securing client POSTs by Banana

Banana
Thu Jul 15 22:38:21 CDT 2004

Slav, please do not crosspost, yet you did too?! ;)

To add, you really need to implement secure coding practices. For off the
shelf applications you are at the mercy (mostly) of the vendor but there are
certain serverside tools you can implement. If you firstly want to
investigate the free ones, go to www.webattack.com/freeware and check out
the IIS tools section for starters.

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:eqK3cFlaEHA.4048@TK2MSFTNGP10.phx.gbl...
Please do not crosspost.
Yes, server-side input validation is crucial for secure Web applications.
You can filter out many probes by implementing URLscan on the server - but
for precise control, like in your MyField example, IIS or generic tools
can't help and you have to secure the application.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
.
"Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
news:OFan15aaEHA.3516@TK2MSFTNGP10.phx.gbl...
hi
someone could send to my server
invalid or malicious POSTs packets
THEN:
i go to validate "every" field
i will get with "Request".Form or Cookie
does it is appropriate ?

and...
if an attacker append to the post
"MyField" with its value
(surely a value that can break the service)
is the web server (IIS)
capable to ignore the field?
or could it be dangerous?

thanks

--
atte,
Hernán Castelo
SGA - UTN - FRBA



Top