WebApp Sec mailing list archives
Re: SQL Injection
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 16 Jun 2004 10:12:57 -0500
On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject attacks into the browser. The most important of these is cross-site scripting, which is covered by the Top Ten A4, and HTML entity encoding is suggested there.
Yes, but I believe including just XSS in the Top Ten sound a bit limiting. There maybe other issues that are possible through lack of output conversion that may get swept under the rug.
I believe it is frequently possible to validate input in such a way that it is safe both for the database and for rendering in a browser.
Heh... I found exactly the opposite. While you can blindly encode it all into uuencode, htmlencode, or whatever, applications are typically not setup for that. Clean-up efforts of web sites would require too much of a rewrite to decode all that safely encoded input. Even worse when you share your database with another company. I found it to be easier to allow certain web-browser-hostile data in the database with the requirement to convert at output time.
I'm really glad to see a discussion of what belongs in the Top 10. The T10 are not intended to be in order of importance, although validation is certainly a key issue. I can't see how output validation (assuming that input validation is done properly and XSS attacks are also handled) rates a separate slot in the Top 10. What would you remove?
If we can't convert it into a Top Dirty Dozen, then I would remove the XSS section since that is an effect of the lack of output validation. Perhaps you guys can get a show of hands at the OWASP conference on that :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: encryption over the web, (continued)
- Re: encryption over the web Michael Ströder (Jun 17)
- Re: encryption over the web exon (Jun 17)
- Re: SQL Injection Steven M. Christey (Jun 11)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Rogan Dawes (Jun 14)
- Re: SQL Injection David Cameron (Jun 16)
- Re: SQL Injection Sverre H. Huseby (Jun 16)
- Re: SQL Injection Alex Russell (Jun 17)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 28)
- RE: SQL Injection Mutallip Ablimit (Jun 29)
- Re: SQL Injection gcb33 (Jun 29)
- Re: SQL Injection Alex Russell (Jun 16)
- RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection athena (Jun 17)
- Re: SQL Injection Frank Knobbe (Jun 21)