Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 10:12:57 -0500

On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject attacks
into the browser. The most important of these is cross-site scripting, which
is covered by the Top Ten A4, and HTML entity encoding is suggested there.

Yes, but I believe including just XSS in the Top Ten sound a bit
limiting. There maybe other issues that are possible through lack of
output conversion that may get swept under the rug.

I believe it is frequently possible to validate input in such a way that it
is safe both for the database and for rendering in a browser. 

Heh... I found exactly the opposite. While you can blindly encode it all
into uuencode, htmlencode, or whatever, applications are typically not
setup for that. Clean-up efforts of web sites would require too much of
a rewrite to decode all that safely encoded input. Even worse when you
share your database with another company. I found it to be easier to
allow certain web-browser-hostile data in the database with the
requirement to convert at output time. 

I'm really glad to see a discussion of what belongs in the Top 10.  The T10
are not intended to be in order of importance,  although validation is
certainly a key issue.  I can't see how output validation (assuming that
input validation is done properly and XSS attacks are also handled) rates a
separate slot in the Top 10. What would you remove?

If we can't convert it into a Top Dirty Dozen, then I would remove the
XSS section since that is an effect of the lack of output validation. 

Perhaps you guys can get a show of hands at the OWASP conference on that


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]