RE: How to handle "special characters"

["Ghita Serban" <sasa () stonet ro>]

As everyone said, you must never trust the user input, whether we are
talking about a public area/site or a private area (e.x administration).
'Special characters' can do a lot of harm, depends on the environment,
application. Attacks may variate from simple yet dangerous cross site
scripting attacks to serious sql injections. The results can be: session
hijack, user info and data exposure, content and database
manipulations,etc.

Most of the common web developers think that their code is secure because
no one can see the source. That is false, because any user with some web
programming experience can anticipate the code, or can manipulate inputs
like GET or POST. Here we have the common examples: hidden field
manipulation, GET vars manipulation, even header injections.

Depending on the web scripting language, you can use multiple functions to
sanitize your script.

Offtopic(maybe):i would like to discuss about specific security problems
in php/sql development, so please tell me if i am offtopic or i should not
discuss such problems here.

Best regards,

Serban Gh. Ghita
administrator
Fastweb Romania
www.fastweb.ro
+40-251-406.389


> If you *have* to deal with special characters you will want to encapsulate
> everything at each level
> depending on what you need to deal with and then peel off that
> encapsulation at each sub-level within
> your application while keeping the idea of least-acceptance in mind. This
> has the added benefit of
> ensuring input checking at every level in your application which, from my
> experience, seems to be the
> root of most problems. People implement one layer of protection and either
> the malicious user finds a
> way around it or they forget to do it *everywhere* so the one place they
> missed puts them on CNN.
>
> In a perfect world, every function would verify both the data its given
> and the data it returns and
> XSS would become a non-issue.
>
> Trey Keifer
> Security Engineer - Level II
> Fishnet Security
>
> Office: 816.421.6611
> Cell: 816.710.6830
> Toll Free: 888.732.9406
> Fax: 816.421.3371
>
> http://www.fishnetsecurity.com
>
>
> -----Original Message-----
> From: Sekurity Wizard [mailto:s.wizard () boundariez com]
> Sent: Wednesday, December 10, 2003 7:34 AM
> To: webappsec () securityfocus com
> Subject: How to handle "special characters"
>
>
> Greetings,
>   I had a developer pose an interesting question today, and I wasn't 100%
> sure what the answer was -
> so I figured I'd turn to the community for advice.
>
>   There are certain characters which pose threats at different levels of
> the application tier model.
> Some at the client, some at the web server, and others in the database.
> Characters such as the &, |,
> ', ", and - can be associated with database hacks, for the most part.  If
> a requirement is there to
> absolutely keep these characters in, for example, interface with a
> back-end legacy database, whats the
> best way to handle their existance?  As a developer, what are the
> necessary and proper steps to take
> to avoid SQL Injection, command execution or other attacks?
>
> Just looking for some good best-practices..
>   s.Wizard
>
> The information transmitted in this e-mail is intended only for the
> addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use of,
> or taking of any action upon this information by persons or entities
> other than the intended recipient is prohibited by law and may subject
> them to criminal or civil liability. If you received this communication
> in error, please contact us immediately at 816.421.6611, and delete the
> communication from any computer or network system.