The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will alsogain access to thousands of other FAQs at ITFAQnet.com.
|
Is there anything we can do on the server side to prevent cross-frame and cross-windows scripting attacks? | ||
|
Is it ever okay to use GET on a form rather than POST? | ||
|
Should I use an HTML encryptor or obfuscator to prevent information leaks? |
Answers
|
Cross-frame and cross-window scripting attacks are mostly a client issue, in particular, a client visiting a server with malicious content. However, you can somewhat limit an attackers ability to use your web site in such an attack. Most important is to address any cross-site issues in your application. You might also consider some of the DHTML features and their impact on security mentioned at this URL: http://msdn.microsoft.com/workshop/author/l/sec_l.asp. |
|
|
GET requests are generally appropriate with query or lookup requests, for example an article ID or a search engine query. POST requests are preferred if the requests contains user-submitted information, sensitive information, or information that changes something on the server. |
|
|
Although these types of tools do have some small benefit, they are generally an inadequate substitution for solid HTML coding practices. Encrypting and obfuscating relies on the client and the techniques are not foolproof. At some point the browser needs to see the HTML to be able to render it so an attacker could do the same. |