By David Lancaster
Here's my answers:
Uh....on 2nd thought....
1. The first piece of text was a
test to see if the application was vulnerable to Cross-site scripting (XSS), by using a web-bug. If the application was vulnerable, when an elf viewed this wish, their browser would attempt to display the image at
"http://www.bumblesnowmonster.com/Sample.jpg", but the elf would not be aware of the attempt since the height and width were set to 0. Presumably the child would have access to the server's logs and could
verify if the XSS test succeeded.
(document.cookie) as an argument, with grab.cgi most likely logging the cookie to a file. The child could then duplicate the elf's cookie, and login to the naughty-or-nice application and wreak havoc!
3. Mods to web Application:
Strip all HTML tags in wishes
Convert HTML tag delimiters (<, >) to equiv html codes (>, <)
Convert HTML tag delimiters (<,>) to other characters ([, ])
Setup a filter that permitted "normal" characters [a-zA-Z0-9,etc] and filters out everything else.
Hash the cookie with the elf's IP address, so it could only be re-used at that IP.
Mods to browser:
Firewall off elves to that they cannot access the internet at all.
4. Disable parsing of HTML messages (use text version of multipart, or display HTML unparsed)