Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SQL Injection
From: gcb33 () dial pipex com
Date: Tue, 29 Jun 2004 12:38:45 +0100


Little area, from my experience is that you can use it to cross validate  users
input to the system and the reponse back is correct. (will not validate the
request is true, but that response is correct) example follows.

Simple example,
Banking Application 
input validation <--> output validation cross check request

User input's his account number (for account history for example) The output
validation would make sure that the data displayed back to the user is of what
was expected of the input requested by the user. 

I've seen on extreme cases under heavy load components failing on big internet
banking platforms, and superreuse data is thrown back, it would be the last trap
all case, Of course this would be part of the total validation components of a
system Front-Middle-Back etc.....;) 

Area which i'm investigating of interest were it might be of more use would be
of more use is in multilingual sites that have the back-end in ASCII message
format mainframe or middleware platforms, 

say the users input is in Chinese but the back in ASCII, you can see the options
for abuse in the system all those conversions and translations sometimes they do
and can sneek through.

with the output validator you can start trapping bad junk from the systems at
hand if needed , not ideal but sometimes needed, 

my thoughts 


Quoting Frank Knobbe <frank () knobbe us>:

On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject
into the browser. The most important of these is cross-site scripting,
is covered by the Top Ten A4, and HTML entity encoding is suggested there.

I understand the notion of "output validation" doesn't sound very sexy.
I also understand that it is considered included in the XSS section of
the OWASP guide. But I believe that a lot of folks underestimate or
overlook/neglect the area of validating output for safety and fitness of
date for displaying in a browser.

So I'd like to ask: What can be done to put more educational emphasis
and/or awareness to validation output? What are the thoughts of others
in this forum?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]