Validating Form Input Is Vital

If your Web applications don't validate user-provided data all sorts of bad and embarrassing things can happen. Here's a prime example:

Several ZDNet and CNet sites, as well as TorrentReactor were all compromised in an indirect way. The sites cache search results from phrases entered into their site search boxes. Those results are them made visible to Google, which indexes that pages, and that reportedly helps overall page ranking.

Intruders discovered that they could enter HTML code as part of the search phrase and that code would be cache in the results. So they entered IFRAME code that led to malicious Web sites. Then, when people performed certain searches on Google the cache result pages would show up in the Google's results. Unwitting Web surfers would then click the links, thinking they were going to ZDNet, CNet, or Torrentreactor, but instead they were redirected to the malicious Web site content.

Ouch.

This is a very good case in point of why you should scan your Web applications to make sure they are a secure as possible!

You can read more about this problem at the Register

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish