mailing list archives
RE: SQL Injection
From: "Mutallip Ablimit" <mutax () insi co jp>
Date: Tue, 29 Jun 2004 14:35:51 +0900
As we know "input validation" is effective to protect against all of the
attacks which caused by the malicious user input. Like xss, sql injections
But it couldn't be an absolute solution for those attacks.
Output validation, as Jeff Williams wrote, protect against attacks pointed
client(browser), like XSS. But I think it is not just limited to xss like
It also realize some protections for other attacks too. Like Web cash
by HTTP response splitting.
please refer to :
"HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics"
by Amit Klein, Director of Security and Research, Sanctum, Inc.
mutax () insi co jp
From: Frank Knobbe [mailto:frank () knobbe us]
Sent: Tuesday, June 29, 2004 10:34 AM
To: Jeff Williams; webappsec () securityfocus com
Subject: Re: SQL Injection
On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject
into the browser. The most important of these is cross-site scripting,
is covered by the Top Ten A4, and HTML entity encoding is suggested there.
I understand the notion of "output validation" doesn't sound very sexy.
I also understand that it is considered included in the XSS section of
the OWASP guide. But I believe that a lot of folks underestimate or
overlook/neglect the area of validating output for safety and fitness of
date for displaying in a browser.
So I'd like to ask: What can be done to put more educational emphasis
and/or awareness to validation output? What are the thoughts of others
in this forum?
Re: SQL Injection Jeff Williams (Jun 14)
Re: SQL Injection Stephen de Vries (Jun 17)