Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection
From: "Mutallip Ablimit" <mutax () insi co jp>
Date: Tue, 29 Jun 2004 14:35:51 +0900

Hi folks,

As we know "input validation" is effective to protect against all of the
attacks which caused by the malicious user input. Like xss, sql injections
etc.
But it couldn't be an absolute solution for those attacks.

Output validation,  as Jeff Williams wrote, protect against attacks pointed
to the
client(browser), like XSS. But I think it is not just limited to xss like
attacks.
It also realize some protections for other attacks too. Like Web cash
poisoning
by HTTP response splitting.

please refer to :

"HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics"
White Paper
by Amit Klein, Director of Security and Research, Sanctum, Inc.

Regards,

Mutallip Ablimit
---
mutax () insi co jp



-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us]
Sent: Tuesday, June 29, 2004 10:34 AM
To: Jeff Williams; webappsec () securityfocus com
Subject: Re: SQL Injection


On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject
attacks
into the browser. The most important of these is cross-site scripting,
which
is covered by the Top Ten A4, and HTML entity encoding is suggested there.

I understand the notion of "output validation" doesn't sound very sexy.
I also understand that it is considered included in the XSS section of
the OWASP guide. But I believe that a lot of folks underestimate or
overlook/neglect the area of validating output for safety and fitness of
date for displaying in a browser.

So I'd like to ask: What can be done to put more educational emphasis
and/or awareness to validation output? What are the thoughts of others
in this forum?

Cheers,
Frank


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]