Post by robingms on Jul 4, 2020 4:21:14 GMT -8
Forum URL: (private)
Hi Administrator,
I am the Administrator of that forum.
I have been blocked form logging into my own forum or logging into this forum.
Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
I suspect this is because you have started protecting your website from code insertion techniques.
So I created a new account which I would like deleted as soon as this issue is resolved. The email used is a temporary disposable email address.
I suspect this is because of my generated passwords which can be of any length and contain characters that commonly associated with code injection techniques. BTW "Code injection Techniques" is the more commonly used term than "Code Insertion techniques".
So long as your registration accepts them my passwords apart from the usual letters and numbers, also contain:
- Commonly accepted UK Punctuation e.g.: ~()=-{},@#[]?&^*;+$%._
- Values you can enter from a UK keyboard: !"£$%^&*()_+-={}[]:@~;'#<>?,./|éúíóÉÚÍÓ where less restricted.
- Where any Unicode character is accepted and can be cut and pasted into the fields or inserted by a password manager: Any Unicode characters, e.g.: logo-grams (e.g. Chinese characters or hieroglyphs), letters number or punctuation from any script from anywhere in the world Arabic, Sanskrit, Klingon, European etc.
Being a software developer of some 37 years experience who has worked for 3 different antivirus companies, I know there are a lot better ways of protecting against code injection techniques. Than blanket banning entries that contain characters that are commonly used in code injection: "{}[]=^&()+-*;/\|. ".
The best way is to always deal with input as input and never use it in a way that it can be included in the code. A common way of achieving this in JavaScript or JSON is by encoding the input e.g. by parsing the text and then storing the series of Unicode Code points as a series of hexadecimal digits which are always [0-9,A-F] (capitalisation optional) or by 64 bit encoding the string. For JavaScript and JSON this is the preferred route because they are both interpreted text and very susceptible to code injection.
There after the string field cannot inject code. In some computer languages you can also wrap the input in an object. Similar once stored as an object it can be passed around freely without being interpreted as code.
The solutions available to you depend on which computer language you are using on your website. You then decode your input as text when you want to re-display it or compare it against something else.
One thing that is essential is that when you change how your passwords are validated that you force users to change their passwords to match the new validation. Before implementing the change.
I may have been blocked for other reasons. So this is a very long email just to ask:
If you have recently added a software package that checks every input field for values that look like code injection, Please can you reset my password?
If that is not the issue please let me know why I am blocked?
Robin
