Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 14 Jun 2004 08:36:38 +0200

Stephen de Vries wrote:

On 9 Jun 2004, at 18:39, Steven M. Christey wrote:
< snip >

So, I guess my point is that whitelists can't be used in isolation.
Quoting and encoding must still play a role when passing inputs
between data boundaries.  Sorry if this is old hat to everyone else.

That's a good point - Input validation should really be performed in every processing context, because it is only in that context that you know what is valid and what is invalid data.

Exactly. I think that Alex Russell first started talking about "boundary validation" [1] (although I think that Sverre Huseby was talking about the concept previously), which refers to making sure that content inappropriate for the "service" on the other side of the boundary is appropriately filtered. This could be done on either side of the boundary, of course, but is not restricted to "input filtering".

For example, boundary filtering should be done from application to database, and from application to client. Doing it properly in these two places would eliminate SQL injection and XSS.

It should also be done between application and LDAP directory, between application and XML messaging service, between application and text log file, etc.

Simply saying "input validation" fails to recognise that you can have very different rules and requirements for each of the above.

You also end up with data in different formats, or in different representations, which could lead to corruption if you are doing quoting in different places.


[1]. http://seclists.org/lists/webappsec/2003/Jan-Mar/0136.html
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]