mailing list archives
Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 10:12:57 -0500
On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject attacks
into the browser. The most important of these is cross-site scripting, which
is covered by the Top Ten A4, and HTML entity encoding is suggested there.
Yes, but I believe including just XSS in the Top Ten sound a bit
limiting. There maybe other issues that are possible through lack of
output conversion that may get swept under the rug.
I believe it is frequently possible to validate input in such a way that it
is safe both for the database and for rendering in a browser.
Heh... I found exactly the opposite. While you can blindly encode it all
into uuencode, htmlencode, or whatever, applications are typically not
setup for that. Clean-up efforts of web sites would require too much of
a rewrite to decode all that safely encoded input. Even worse when you
share your database with another company. I found it to be easier to
allow certain web-browser-hostile data in the database with the
requirement to convert at output time.
I'm really glad to see a discussion of what belongs in the Top 10. The T10
are not intended to be in order of importance, although validation is
certainly a key issue. I can't see how output validation (assuming that
input validation is done properly and XSS attacks are also handled) rates a
separate slot in the Top 10. What would you remove?
If we can't convert it into a Top Dirty Dozen, then I would remove the
XSS section since that is an effect of the lack of output validation.
Perhaps you guys can get a show of hands at the OWASP conference on that
Description: This is a digitally signed message part
Re: SQL Injection Jeff Williams (Jun 14)
Re: SQL Injection Stephen de Vries (Jun 17)