RE: SQL Injection

["Mutallip Ablimit" <mutax () insi co jp>]

Hi folks,

As we know "input validation" is effective to protect against all of the
attacks which caused by the malicious user input. Like xss, sql injections
etc.
But it couldn't be an absolute solution for those attacks.

Output validation,  as Jeff Williams wrote, protect against attacks pointed
to the
client(browser), like XSS. But I think it is not just limited to xss like
attacks.
It also realize some protections for other attacks too. Like Web cash
poisoning
by HTTP response splitting.

please refer to :

"HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics"
White Paper
by Amit Klein, Director of Security and Research, Sanctum, Inc.

Regards,

Mutallip Ablimit
---
mutax () insi co jp



-----Original Message-----
From: Frank Knobbe [mailto:frank () knobbe us]
Sent: Tuesday, June 29, 2004 10:34 AM
To: Jeff Williams; webappsec () securityfocus com
Subject: Re: SQL Injection


On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
> Output validation is intended to protect against attempts to inject
attacks
> into the browser. The most important of these is cross-site scripting,
which
> is covered by the Top Ten A4, and HTML entity encoding is suggested there.

I understand the notion of "output validation" doesn't sound very sexy.
I also understand that it is considered included in the XSS section of
the OWASP guide. But I believe that a lot of folks underestimate or
overlook/neglect the area of validating output for safety and fitness of
date for displaying in a browser.

So I'd like to ask: What can be done to put more educational emphasis
and/or awareness to validation output? What are the thoughts of others
in this forum?

Cheers,
Frank