HTML, .page scanning tools

Hi All,

Our use case is to have a html and .page scanning system in place to catch any malicious code (eg: within javascript) to avoid reaching it to our runtime servers. We are planning to implement the scan task within our workflows which would cause it to succeed or fail based on the output of scan.

We are researching on some third party tools which would help scan the attached files. Has any one worked with any of them? Looks like HP has such tools. I understand they wont be just plug and play but need some customization, but it would be interesting to know if someone is already using it.

Thanks,
TS 6.7.2
LSDS

Find more posts tagged with

Comments

Rick Poulin

I don't even understand the requirement. Do you distrust your users that much? And even then, aren't your users the defacto site owners? If they want to intentionally destroy their own site (it's pretty hard to accidentally insert malicious code), are you really going to be able to prevent that with 100% certainty?

Or phrased a different way, if you distrust your users that badly, then why are you giving them the ability to customize the javascript (or worse, server-side code) on the site?

Rohan_t1

I don't even understand the requirement. Do you distrust your users that much? And even then, aren't your users the defacto site owners? If they want to intentionally destroy their own site (it's pretty hard to accidentally insert malicious code), are you really going to be able to prevent that with 100% certainty?

Or phrased a different way, if you distrust your users that badly, then why are you giving them the ability to customize the javascript (or worse, server-side code) on the site?

This was exactly our reaction when the requirement was passed on to us Smiley Happy

. But this has come up from higher management so a solution is required or atleast the approach to start with. I agree site owners/editors/authors should be trusted but we also have lot of vendor supplied assets which includes htmls, js and others along with translated content which needs to be scanned before being pushed to runtime.

Rick Poulin

we also have lot of vendor supplied assets which includes htmls, js and others along with translated content which needs to be scanned before being pushed to runtime.

Does this happen often enough to warrant automation? I'm thinking you could probably manage with a small standalone utility that you use manually whenever you receive new updates from "untrusted" sources.

But seriously, couldn't you just sue your vendors if they purposely gave you malicious code?

/or challenge upper management to a duel-to-the-death
//sorry, still not seeing this as a CMS/TeamSite problem...