For those who were not able to visit the Conference I’d like to show the questions asked.
Which of the following code lines does really protect against Cross-Site-Scripting?
[ ] echo ‚<a href="index.php?name=‘.addslashes($_GET[’name‘]).’">name</a>‘;
[ ] echo ‚<a href="index.php?name=‘.strip_tags($_GET[’name‘]).’">name</a>‘;
[ ] echo ‚<a href="index.php?name=‘.preg_replace(‚|\W|‘, “, $_GET[’name‘]).’">Name</a>";
In which code line did we hide a Remote Code Execution?
[ ] include(dirname(__FILE__).’/lang/lang_‘.$_GET[‚lang‘].‘.php‘);
[ ] preg_replace(‚/_NAME_/msiUe‘, "htmlentities(\"$_GET[name]\")", ‚Hello Mr _NAME_ ! ‚);
[ ] eval("echo ‚Hello Mr ".htmlentities($_GET[’name‘], ENT_QUOTES)."‘;");
[ ] <img />
[ ] <br />
[ ] <style></style>
[ ] <meta></meta>
What is not possible to happen if your website contains a Cross-Site-Scripting-Vulnerability?
[ ] It is possible to take over the user-logins by using the so named Session-Riding.
[ ] Your website visitor´s intranet can be scanned.
[ ] Every pressed key of your sites user´s can be logged by third parties.
[ ] Your user´s harddisks can be formatted.
So: are you able to give the correct answers?
And for those of you interested in number crunching:
We had 39 participants; there were only 8 completely correct forms handed in and the average of correct answers was 1.974 out of 4
The winners of the quiz are:
- Stefan Neufeind (1 iPod Nano, 1 Chorizo! Standard license)
- Jan Schneider (1 Chorizo! Standard license)
- Keith Sauvant (1 Chorizo! Standard license)
- Holger Falk (1 Chorizo! Standard license)
- Mark Wiesemann (1 Chorizo! Standard license)