Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: How to handle "special characters"

RE: How to handle "special characters"

From: Keifer, Trey <Trey.Keifer_at_fishnetsecurity.com>
Date: Thu, 11 Dec 2003 16:09:09 -0600

If you *have* to deal with special characters you will want to encapsulate everything at each level
depending on what you need to deal with and then peel off that encapsulation at each sub-level within
your application while keeping the idea of least-acceptance in mind. This has the added benefit of
ensuring input checking at every level in your application which, from my experience, seems to be the
root of most problems. People implement one layer of protection and either the malicious user finds a
way around it or they forget to do it *everywhere* so the one place they missed puts them on CNN.

In a perfect world, every function would verify both the data its given and the data it returns and
XSS would become a non-issue.

Trey Keifer
Security Engineer - Level II
Fishnet Security

Office: 816.421.6611
Cell: 816.710.6830
Toll Free: 888.732.9406
Fax: 816.421.3371

http://www.fishnetsecurity.com

-----Original Message-----
From: Sekurity Wizard [mailto:s.wizard_at_boundariez.com]
Sent: Wednesday, December 10, 2003 7:34 AM
To: webappsec_at_securityfocus.com
Subject: How to handle "special characters"

Greetings,
  I had a developer pose an interesting question today, and I wasn't 100% sure what the answer was -
so I figured I'd turn to the community for advice.

  There are certain characters which pose threats at different levels of the application tier model.
Some at the client, some at the web server, and others in the database. Characters such as the &, |,
', ", and - can be associated with database hacks, for the most part. If a requirement is there to
absolutely keep these characters in, for example, interface with a back-end legacy database, whats the
best way to handle their existance? As a developer, what are the necessary and proper steps to take
to avoid SQL Injection, command execution or other attacks?

Just looking for some good best-practices..
  s.Wizard

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Received on Dec 12 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos