WebApp Sec: Re: ISA Server and SQL Injection

["Jan P. Monsch" <jan.monsch () csnc ch>]

Hi Christopher!

In the area of testing value domains and type checking I agree. But XSS 
has in my opinion nothing to do with this.
In case of SQL-Injection when dyamically assembled SQL-strings are used 
it is a mix of input and output validation. In case of string parameters 
the single quote must be encoded correctly ' -> '' and in case of 
numeral parameters they must be parsed to check if the input is really a 
numeral type.
In general I think that mechanisms like Java Prepared Statements must be 
used to submit SQL-queries. This allows SQL-injection-safe passing of 
parameters to the database. Statements where parameters and SQL are 
dynamically assembled in a SQL-string should be abolished altogether.
Regards Jan



christopher () baus net wrote:
> > 2. Output validation is much better then Input validation, because most
> > problems are related to incorrectly encoding input parameters into
> > output. In addition proper output encoding allows to use critical
> > characters like < > within the application. This is especially important
> > in back-office applications.
>
> I don't totally agree with that.  If the input injection allows the
> attacker to select a different parameter, it may already be too late for
> output validation.  Worse, there maybe nothing the output validator can do
> if the result is encoded validly.
>
> Christopher Baus
>
> ========
> Implementing an HTTP proxy?
> Consider a fast, secure alternative
> http://www.baus.net/

--
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG
Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland

Tel +41 55 214 41 67
Fax +41 55 214 41 61
jan.monsch () csnc ch
http://www.csnc.ch

PGP: F055 837D 2D86 1C86 C5E0  065C 0D16 B8B3 9E58 71F3

Security Review - Penetration Testing - Computer Forensics
_____________________________________________________________