Failed security audit (XSS and SQL Injection are possible).
Posted on 2010-08-20
Is there protections from Code Injection that can be put in place? They were able to inject <script> that ran a marque across the screen... and said they code grab peoples username and passwords by injecting in the same way...
Dangerous characters which should be filtered:
• " ' % ; ) ( & + -
• These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.
Does APEX have anything that can be turned on to prevent from having to check all inputs???
Also, they used FireFox "Inspector" to open a text item from max 9 characters to 50 characters so they could inject code...
Any help appreciated..