Commits

Shlomi Fish  committed 16b8f7c

Add Code/Markup Injection.

To the bad-elements page.

  • Participants
  • Parent commits f36bc37

Comments (0)

Files changed (3)

 * Bad elements page:
     - "-param" (parameters starting with a dash) for subroutines or methods.
         - should be plain names instead.
+    - Code/Markup injection:
+        - shell code injection.
+        - cross-site-scripting / HTML injection.
+        - SQL injection.
         - show all with IO::All and without it.
 
 * Add to '/bad-elements/':
-    - Code/Markup injection:
-        - shell code injection.
-        - cross-site-scripting / HTML injection.
-        - SQL injection.
     - Regular expressions starting or ending with .*? or .*
     - Using one variable for two different things
         - assignment to a different value in the middle of the subroutine.
 * "So benchmark your code, see how well it performs and then continue
 reading this page if it is indeed too slow." - missing comma.
 
+* Mirror http://shlomif-tech.livejournal.com/35301.html (Code/Markup injection
+) locally and enhance it.
+
 Long Term:
 ----------
 

File src/tutorials/bad-elements/index.html.wml

 
 </item>
 
+<item id="code_and_markup_injection" h="Code and Markup Injection">
+
+<p>
+Care must be taken when constructing statements that are passed to an
+interpreter, when putting arbitrary strings inside (using string interpolation
+or other methods). This is because if the strings are subject to input from
+the outside world (including the users), then one can use specially crafted
+strings for executing arbitrary commands and exploiting the system.
+</p>
+
+<p>
+An example of this is outputting HTML using
+<tt>print "&lt;p&gt;" . $paragraph_text . "&lt;/p&gt;\n";</tt> which may allow
+inserting arbitrary, malicious, markup inside <tt>$paragraph_text</tt>,
+which may include malicious JavaScript, that can steal passwords or alter
+the page’s contents.
+</p>
+
+<p>
+For more information, see:
+</p>
+
+<ol>
+
+<li>
+<p>
+<a href="http://shlomif-tech.livejournal.com/35301.html">“Code/Markup Injection
+and Its Prevention post”</a> on Shlomi Fish’s Technical Journal.
+</p>
+</li>
+
+<li>
+<p>
+Wikipedia articles about
+<a href="http://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>
+and
+<a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site
+scripting</a>.
+</p>
+</li>
+
+<li>
+<p>
+The site <a href="http://bobby-tables.com/">Bobby Tables</a> about SQL
+injections.
+</p>
+</li>
+
+</ol>
+
+</item>
+
 </main_list>
 
 #include "bad-elements-sources.wml"