>
We've got the following problem: When a visitor klicks a dead link he
ends up on a 404-page like should be. On that page there's an
opportunity to mail the webmaster (me) about the missing page. Most
visitors don't describe the link or the page they came from
(containing the dead link) so I really would like to prefill their
email with the URL of the page that seems to be missing.
All ideas are welcome...
Using serverside J[ava]script on a ASP platform:
Error page: <% = request.serverVariables("QUERY_STRING") %>
[please do not quote signatures on usenet]
If you se this:
Error page: <% = request.serverVariables("QUERY_STRING") %>
make sure to filter it first to avoid XSS, and response splitting etc..
I don't se, could you explain?
What is XSS?
Why avoid response splitting?
well if you just print the query string to the html page then a
cunning attacker can form a query string which will print a string to
the page which might steal the cookies of that site (if the user is
logged in) or perform some other attacks.
XSS is cross site scripting, where if you alow the content of your
webpage to be printed to screen as html the attacker can control your
user base. In your example you would validate that the query string
was in the form you expected, before printing it.
Response splitting is where the value of the Location header (which is
send by the server when it wants to redirect the user agent to an
error page - or just to another page) allows code to be injected into
it. Some servers are vulnerable to reponse splitting. Where say a UTF7
encoded strong is sent as the URL to be reidrected to, this UTF string
might have a newline sequence in it which /splits/ the location
header, and allows the injection of completely new headers, which
force the server to return 2 resources instead of just one. This
allows the attacker to get control over the user. It's unlikely
especially if you patch and upgrade your architecture, because this
kind of attack is relatively old as webapp attacks go. But it too
comes from improper validation and filtering before including a URL
string in the location header of a dynamic redirect.
So basically, if you take a value (that could have been supplied by a
user) it must be checked over before being used. Hope thats a bit
clearer. :)