Mat Schaffer on 27 Jun 2007 13:15:43 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] ModSecurity / PHPIDS

  • From: Mat Schaffer <>
  • To:
  • Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
  • Date: Wed, 27 Jun 2007 09:15:24 -0400
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=jCAWdTsTJ9Fkq9L3K0cEf1DY/Bbp4pnvpzIjcz/41XSns2NY4ca8ESqvqf2m6MwCciZyKzpp8Rb1HJxC+ddaZQTFyr+TiRnQio6k5seFGM1mpXxg+sSx/eDznY4KHT86bptD0yiTlmXiEd+UPUwLkLwtkWgGHEQyPkQHDy+1RQ4=
  • List-archive: <>
  • Reply-to:
  • Sender:

On Jun 26, 2007, at 5:13 PM, Keith Fitzgerald wrote:
regarding pre-deployment security, i imagine it would be pretty easy to check for common cases that *could* lead to xss exploits. i.e. many applications simply just trust user input and do not validate.

or for example, rails by default allows GET as well as POST submissions. an easy test would be to check GET requests are blocked in form action. unless this is no longer default behavior?

I could see this being implemented as warnings during functional or integration testing. Perhaps with some sort of meta-programming to bring requirement down to one statement? Just thinking out loud here, really.
To unsubscribe or change your settings, visit: