WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Injection Basics

From: Alex Russell <alex () netWindows org>
Date: Mon, 10 Feb 2003 15:50:16 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 11 February 2003 01:48 pm, Sverre H. Huseby wrote:


The OWASP (www.owasp.org) Filters project introduces the term
"boundary filtering" [1]: You do input validation when data passes the
boundary/border between the client and your application. 


Thanks for the kind words Sverre = )


And you do
subsystem filtering when the data passes from your application to one
of many possible subsystems, including the end users' browsers (to
prevent Cross-site Scripting).  The "boundary filtering" approach is
the most ingenious method proposed so far, IMNSHO. 


Well, it's nothing new. I recently gave a talk on the Filters project and 
began the talk by saying that "there is nothing academically interesting 
about the OWASP filters project". We are simply attempting to provide a 
single point of contact/reference for what people _should_ be doing anyway 
(but quite obviously aren't). Defense in depth is nothing new, but it's 
kind of entertaining watching people rediscover it over and over again.


1: Until someone tells me otherwise, I give Alex Russell the credit
   for that cool term, because I first saw it in one of his documents.


I'm pretty sure the concepts of defense in depth will be traceable as far 
back as someone has had something someone else wanted, and someone was able 
to write it down. = )

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+SB6YoV0dQ6uSmkYRAvs3AJ9YYIHklnoxKL8M1gEBwwGQ1V1DFQCfXU86
X+FuRdlATpPLM1VkrIl0mxI=
=h0+6
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: