RSnake wrote: > No, that is incorrect. This is not visible by the application because > achor tags are not sent to the webserver. This is completely invisible > to web application firewalls. Btw, a user on http://sla.ckers.org/ made > this recommendation for fixing your own browsers: > > Firefox->Tools->Options->Content->Manage->change PDF action to "Save to > disk". YMMV, but for Apache-based servers, one of the two methods below -may- do the trick (no guarantees that it won't break your app in the process): # mod_rewrite prevention vs. DOM attacks on static content RewriteCond %{THE_REQUEST} .*\.(img|jpg|pdf|css|js)[^A-Za-z0-9._?&%-] RewriteRule (.*\.(img|pdf|cgi|jpg)) $1 [R,L] # mod_security 2.0 prevention vs. DOM attacks on static content SecRule REQUEST_URI_RAW: ".*\.(img|jpg|pdf|css|js)[^A-Za-z0-9._?&%-]" \ "deny,log,status:501,id:955001,severity:2,msg:'DOM attack on static content'" Erick.
