Re: SQL Injection

[Frank Knobbe <frank () knobbe us>]

On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
> Output validation is intended to protect against attempts to inject attacks
> into the browser. The most important of these is cross-site scripting, which
> is covered by the Top Ten A4, and HTML entity encoding is suggested there.

Yes, but I believe including just XSS in the Top Ten sound a bit
limiting. There maybe other issues that are possible through lack of
output conversion that may get swept under the rug.

> I believe it is frequently possible to validate input in such a way that it
> is safe both for the database and for rendering in a browser. 

Heh... I found exactly the opposite. While you can blindly encode it all
into uuencode, htmlencode, or whatever, applications are typically not
setup for that. Clean-up efforts of web sites would require too much of
a rewrite to decode all that safely encoded input. Even worse when you
share your database with another company. I found it to be easier to
allow certain web-browser-hostile data in the database with the
requirement to convert at output time. 

> I'm really glad to see a discussion of what belongs in the Top 10.  The T10
> are not intended to be in order of importance,  although validation is
> certainly a key issue.  I can't see how output validation (assuming that
> input validation is done properly and XSS attacks are also handled) rates a
> separate slot in the Top 10. What would you remove?

If we can't convert it into a Top Dirty Dozen, then I would remove the
XSS section since that is an effect of the lack of output validation. 

Perhaps you guys can get a show of hands at the OWASP conference on that
:)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part