Keith Fitzgerald on 27 Jun 2007 13:24:42 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] ModSecurity / PHPIDS


haha yeah i'm also thinking out loud. been real interested in security of late and just got back from usenix so now i'm paranoid.

ill look around a little more and report back :-)

On 6/27/07, Mat Schaffer <schapht@gmail.com> wrote:
On Jun 26, 2007, at 5:13 PM, Keith Fitzgerald wrote:
> regarding pre-deployment security, i imagine it would be pretty
> easy to check for common cases that *could* lead to xss exploits.
> i.e. many applications simply just trust user input and do not
> validate.
>
> or for example, rails by default allows GET as well as POST
> submissions. an easy test would be to check GET requests are
> blocked in form action. unless this is no longer default behavior?

I could see this being implemented as warnings during functional or
integration testing.  Perhaps with some sort of meta-programming to
bring requirement down to one statement?  Just thinking out loud
here, really.
-Mat
_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk

_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk