Submit the name of a known static resource on the server, and determine

■

If the application is vulnerable to local file inclusion, attempt to access

In general, the best way to avoid script injection vulnerabilities is to not pass

user-supplied input, or data derived from it, into any dynamic execution or

include functions. If this is considered to be unavoidable for some reason, then

the relevant input should be strictly validated to prevent any attack occurring.

If possible, use a white list of known good values (such as a list of all the lan-

guages or locations supported by the application), and reject any input that

does not appear on this list. Failing that, check the characters used within the

input against a set known to be harmless, such as alphanumeric characters

excluding whitespace.

70779c09.qxd:WileyRed  9/14/07  3:13 PM  Page 312

Download 5,76 Mb.

Do'stlaringiz bilan baham: