Forum Discussion
3 Replies
- What_Lies_Bene1Cirrostratus
I'm no security expert but if the value is user supplied the user would be only be 'attacking' themselves as only they would get this response?
If the user was 'innocent' and had clicked a malicious link to cause this, why would the attacker use this method, the original link would have sufficed?
You can use URI::decode to expose some practises and also split the $somevar data in some way with spaces (HTTP::path 'space' HTTP::uri) so the link isn't actually 'clickable'.
- What_Lies_Bene1Cirrostratus
OK, I get that but what does this have to do with your HTTP::respond command? I don't see the connection, the link has already been clicked.
- Kevin_StewartEmployee
I'd perhaps suggest two things:
-
Set the HTTPOnly flag on all cookies. It's of course not a 100% solution, but it would prevent most script-based access to cookies.
-
As WLB suggests, simply URI::encode the output value:
HTTP::respond 403 content "Error: variable [URI::encode $somevar] not in datagroup"
-