wu :: forums
        (http://www.ocf.berkeley.edu/~wwu/cgi-bin/yabb/YaBB.cgi)
      

        riddles >> general problem-solving / chatting / whatever >>  login?
        
(Message started by: inexorable on Dec 23rd, 2009, 2:05pm)
Title: login?
Post by inexorable on Dec 23rd, 2009, 2:05pm
Browsing through the forum as a guest without signing in seems to be disabled. why?:(

One disadvantage i see is, it would prevent search engines from crawling the forums content.
Title: Re:  login?
Post by bmudiam on Jan 5th, 2010, 11:58pm
I kind of disagree with that.

However, there is an advantage too. Most of the web applications are prone to XSS and XSRF attacks. Hackers mainly targets forums like these..Enabling the forum will give access for them to post java script in the forum and gaining unauthorized access to the servers.

There are ways to avoid these attacks..but that needs end to end security analysis of the website.
Title: Re:  login?
Post by towr on Jan 6th, 2010, 1:29am
Javascript is easy to filter out of posts, just as other html is easy to filter out.
In any case, guests being able to read the forum doesn't even mean they'll be able to post.
Title: Re:  login?
Post by SMQ on Jan 6th, 2010, 5:36am

on 01/06/10 at 01:29:16, towr wrote:
Javascript is easy to filter out of posts, just as other html is easy to filter out.

But less easy to filter out of attachments, which is one possible attack vector.  A script uploaded as an attachment here can potentially be used as part of an attack on any other site at ocf.berkeley.edu by allowing an attacker to write a seamless man-in-the-middle page that captures sensitive information.  The usual rules of what data can be accessed programatically from where normally make such an attack difficult or impossible, but if the malicious script is hosted in the same domain the attack is targeting the rules are relaxed a little.  That's the general pattern of XSS (cross-site scripting) attacks.

--SMQ
Title: Re:  login?
Post by bmudiam on Jan 6th, 2010, 6:19am
Actually, the dynamic cross site scripting attack let user to enter a search string(malicious java script) inside the search box and most of the browsers will display the text entered in search box on the search results page..and thats how java script can be executed.

The developer has to be very careful to make sure all the inputs are filtered..which I hard I think.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board