WebApp Sec mailing list archives

Re: SQL Injection

From: The Crocodile <tcroc () pasture com>
Date: Fri, 04 Jun 2004 08:24:32 -0400

I think I'm confused about your use of the term "whitelist" in the
scenario below. White lists IMHO aren't going to be vulnerability
specific at all. They are going to be specific to the particular input
parameter in question. I don't see how you would have differing
"whitelists" for XSS and for SQL Injection.

A white list is specifically what is going to be allowed for a
particular parameter. For example a phone number in the US might allow
1234567890()- and that's it. White listing the particular input field to
allow only those characters (and escape them if neccesary) should stop
both XSS and SQL injection attack characters. Encoding the output
presented to the user is an additional step that can be done to double
check for display type attacks (again XSS).

Maybe I misunderstood your post, but I just wanted to make sure these
subtle differences were clear to the list.

Cheers,

--The Crocodile

And yes I know "whitelisting" won't catch input data that is valid that
additional business logic should be catching. IE. Access control
violations. That is a different thread all together.

On Thu, 2004-06-03 at 20:35, Steven M. Christey wrote:

The best way would be creating a white list, allowing only defined
characters and rejecting everything else. Saves you headaches in the
long run. Use Regexs for this.


While white lists are far better than black lists, the correct "white
list" will vary depending on which type of vulnerability you are
protecting against.  For example, restricting inputs to alphanumeric,
spaces, and hyphens will still open you up to certain argument
injection vulnerabilities.  So, you may need to apply different white
lists to the data, depending on where (and how) the data is being
used, and which types of vulnerabilities may be present at that point.
You may want to use a "SQL injection" white list on data input, with
an "XSS white list" on data output (though "XSS white list" is almost
an oxymoron these days, with all the custom browser behaviors).

It would be interesting to know if anybody's tried to implement
"context-sensitive taint checks" that know which filters have been
applied to data elements, and when.

- Steve

Current thread:

Re: SQL Injection, (continued)
- Re: SQL Injection windo (Jun 01)
- RE: SQL Injection V. Poddubniy (Jun 01)
- Re: SQL Injection Serg B. (Jun 01)
  - Re: SQL Injection RSnake (Jun 01)
- Re: SQL Injection Paul (Jun 01)
- RE: SQL Injection Scovetta, Michael V (Jun 01)
  - Re: SQL Injection David Cameron (Jun 02)
- RE: SQL Injection Imperva Application Defense Center (Jun 02)
- RE: SQL Injection stevenr (Jun 02)
- Re: SQL Injection Steven M. Christey (Jun 03)
  - Re: SQL Injection The Crocodile (Jun 04)
- RE: SQL Injection stevenr (Jun 06)
  - RE: SQL Injection The Crocodile (Jun 06)
    - Re: SQL Injection Jeff Williams (Jun 08)
    - Re: SQL Injection saphyr (Jun 09)
  - Request for comments - French readers saphyr (Jun 08)
- Re: SQL Injection Steven M. Christey (Jun 08)
- RE: SQL Injection Michael Howard (Jun 09)
  - RE: SQL Injection or XML gcb33 (Jun 09)
- RE: SQL Injection Michael Howard (Jun 09)
- RE: SQL Injection Michael Silk (Jun 09)

(Thread continues...)