EVE Search - New Dev Blog: New Forum Security Blog

All Channels

EVE Information Portal

New Dev Blog: New Forum Security Blog - Cookie Derp

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 43 post(s)
Steve Thomas Minmatar Sebiestor Tribe	Posted - 2011.04.12 00:07:00 - [1] Originally by: CCP Sreegs Originally by: Lubomir Penev Originally by: CCP Sreegs Originally by: Lubomir Penev The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place. The blog never said there wasn't an audit. The blog also said you couldn't insert script. I wasn't even critical, just commenting on the fact we got no choice but believe you as the particular forum version will never see the light of day again. As for the audit that's the worrying part, if there was one, how could it miss two very classical OWASP top 10 vulns (this is actually generous, they are OWASP top 3 vulns)... It's not like the forum had so many entry points for possible XSS injection that exhaustive testing was impossible or even hard. Nobody used ground breaking stuff to break the new toy open, it was one guy with an hour to spare and an XSS cheat sheet (the injection part). So yes, as someone that was in the field pretty recently, I wonder how the forums passed a security audit if there was one. But yes, I know sometime the obvious escape the prying eyes of seasoned professionals, happens to everyone, even happened to me. But the sheer amount of uncaught stuff looks odd to me. It looks odd to me too. This is why we have internal investigations. :) I had them do some pretty extensive testing to verify that we were properly filtering the script tags today, which was why the blog was delayed. Were we not filtering it I'd have said so. :Icouldahadav8headsmacksmilycon: ok that was what I was missing when I did a bit of testing with a modified YAF forum, because I had to strip the Scriptblock to get HTML to work the way some people were saying was posible. and even then it was older brousers (IE7 older versions of crome and Firefox) that did not even blink at what I was doing. (IE 9 and the newest crome both threw a royal hissyfit over a scrip trying to install a Danceing chipmonk on my desktop, the others either just blocked it or gave me popup warnings or simply crashed out the brouser and sent me back to my homepage) http://desusig.crumplecorn.com/sigs.html Crumplecorn's DesuSigs

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.