Home page logo

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection
From: "Michael Silk" <michaels () phg com au>
Date: Wed, 9 Jun 2004 14:41:27 +1000


        There are many many more possibilities for XSS then simply the 
        <script> tag, of course it depends on where the resulting string
        ends up, but simply replacing the <script> tag is *not* enough.

        SQL Injection, of course, can not be be mitigated by way of 
        replacing "<script>" tags either, you aren't really suggesting
        this are you ?

-- Michael

-----Original Message-----
From: Steven M. Christey [mailto:coley () mitre org]
Sent: Wednesday, 9 June 2004 7:52 AM
To: webappsec () securityfocus com
Subject: Re: SQL Injection

BTW, any opinions on if I just encode all input without checking for any
characters? Say converting all <script> to &lt;script&gt; Can anyone
still do XSS or SQL Injection in that case?

Not that I can think of, but there might be implications if there's a
back end.

However...  If the routine is being coded in C or another language
that's prone to buffer overflows, then you need to make sure to
account for all the potential quoting when allocating the memory to
hold the resulting string.  "Transformation-based" buffer overflows
(my hastily coined term) are starting to become more common.  If the
transformation converts a double-quote character to a "&quote;", then
an attacker could expand the original string by a factor of 6, which
could have implications for the application itself *or* the back end.

- Steve

This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]