|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PhillyOnRails] ModSecurity / PHPIDS
|
- From: Mat Schaffer <schapht@gmail.com>
- To: talk@phillyonrails.org
- Subject: Re: [PhillyOnRails] ModSecurity / PHPIDS
- Date: Wed, 27 Jun 2007 09:15:24 -0400
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=jCAWdTsTJ9Fkq9L3K0cEf1DY/Bbp4pnvpzIjcz/41XSns2NY4ca8ESqvqf2m6MwCciZyKzpp8Rb1HJxC+ddaZQTFyr+TiRnQio6k5seFGM1mpXxg+sSx/eDznY4KHT86bptD0yiTlmXiEd+UPUwLkLwtkWgGHEQyPkQHDy+1RQ4=
- List-archive: <http://lists.phillyonrails.org/pipermail/talk>
- Reply-to: talk@phillyonrails.org
- Sender: talk-bounces@phillyonrails.org
On Jun 26, 2007, at 5:13 PM, Keith Fitzgerald wrote:
regarding pre-deployment security, i imagine it would be pretty
easy to check for common cases that *could* lead to xss exploits.
i.e. many applications simply just trust user input and do not
validate.
or for example, rails by default allows GET as well as POST
submissions. an easy test would be to check GET requests are
blocked in form action. unless this is no longer default behavior?
I could see this being implemented as warnings during functional or
integration testing. Perhaps with some sort of meta-programming to
bring requirement down to one statement? Just thinking out loud
here, really.
-Mat
_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk
|
|