Author |
Topic: login? (Read 443 times) |
|
inexorable
Full Member
Posts: 211
|
Browsing through the forum as a guest without signing in seems to be disabled. why?
One disadvantage i see is, it would prevent search engines from crawling the forums content.
|
|
 IP Logged |
|
|
|
bmudiam
Junior Member
Gender: 
Posts: 55
|
 |
Re: login?
« Reply #1 on: Jan 5th, 2010, 11:58pm » |
 Quote  Modify
|
I kind of disagree with that.
However, there is an advantage too. Most of the web applications are prone to XSS and XSRF attacks. Hackers mainly targets forums like these..Enabling the forum will give access for them to post java script in the forum and gaining unauthorized access to the servers.
There are ways to avoid these attacks..but that needs end to end security analysis of the website.
|
|
IP Logged |
“Nobody can go back and start a new beginning, but anyone can start today and make a new ending.” - Maria Robinson
|
|
|
towr
wu::riddles Moderator
Uberpuzzler
Some people are average, some are just mean.
Gender:
Posts: 13730
|
|
Re: login?
« Reply #2 on: Jan 6th, 2010, 1:29am » |
Quote Modify
|
Javascript is easy to filter out of posts, just as other html is easy to filter out.
In any case, guests being able to read the forum doesn't even mean they'll be able to post.
|
|
IP Logged |
Wikipedia, Google, Mathworld, Integer sequence DB
|
|
|
SMQ
wu::riddles Moderator
Uberpuzzler
Gender:
Posts: 2084
|
|
Re: login?
« Reply #3 on: Jan 6th, 2010, 5:36am » |
Quote Modify
|
on Jan 6th, 2010, 1:29am, towr wrote:| Javascript is easy to filter out of posts, just as other html is easy to filter out. |
|
But less easy to filter out of attachments, which is one possible attack vector. A script uploaded as an attachment here can potentially be used as part of an attack on any other site at ocf.berkeley.edu by allowing an attacker to write a seamless man-in-the-middle page that captures sensitive information. The usual rules of what data can be accessed programatically from where normally make such an attack difficult or impossible, but if the malicious script is hosted in the same domain the attack is targeting the rules are relaxed a little. That's the general pattern of XSS (cross-site scripting) attacks.
--SMQ
|
|
IP Logged |
--SMQ
|
|
|
bmudiam
Junior Member
Gender:
Posts: 55
|
|
Re: login?
« Reply #4 on: Jan 6th, 2010, 6:19am » |
Quote Modify
|
Actually, the dynamic cross site scripting attack let user to enter a search string(malicious java script) inside the search box and most of the browsers will display the text entered in search box on the search results page..and thats how java script can be executed.
The developer has to be very careful to make sure all the inputs are filtered..which I hard I think.
|
|
IP Logged |
“Nobody can go back and start a new beginning, but anyone can start today and make a new ending.” - Maria Robinson
|
|
|
|
RIDDLES SITE
WRITE MATH!
Home 
Help 
Search 
Members 
Login 
Register
Reply
Notify of replies
Send Topic
Print