WebApp Sec mailing list archives
RE: SQL Injection
From: "Mutallip Ablimit" <mutax () insi co jp>
Date: Tue, 29 Jun 2004 14:35:51 +0900
Hi folks, As we know "input validation" is effective to protect against all of the attacks which caused by the malicious user input. Like xss, sql injections etc. But it couldn't be an absolute solution for those attacks. Output validation, as Jeff Williams wrote, protect against attacks pointed to the client(browser), like XSS. But I think it is not just limited to xss like attacks. It also realize some protections for other attacks too. Like Web cash poisoning by HTTP response splitting. please refer to : "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" White Paper by Amit Klein, Director of Security and Research, Sanctum, Inc. Regards, Mutallip Ablimit --- mutax () insi co jp -----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Tuesday, June 29, 2004 10:34 AM To: Jeff Williams; webappsec () securityfocus com Subject: Re: SQL Injection On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:
Output validation is intended to protect against attempts to inject
attacks
into the browser. The most important of these is cross-site scripting,
which
is covered by the Top Ten A4, and HTML entity encoding is suggested there.
I understand the notion of "output validation" doesn't sound very sexy. I also understand that it is considered included in the XSS section of the OWASP guide. But I believe that a lot of folks underestimate or overlook/neglect the area of validating output for safety and fitness of date for displaying in a browser. So I'd like to ask: What can be done to put more educational emphasis and/or awareness to validation output? What are the thoughts of others in this forum? Cheers, Frank
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Steven M. Christey (Jun 11)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Rogan Dawes (Jun 14)
- Re: SQL Injection David Cameron (Jun 16)
- Re: SQL Injection Sverre H. Huseby (Jun 16)
- Re: SQL Injection Alex Russell (Jun 17)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 28)
- RE: SQL Injection Mutallip Ablimit (Jun 29)
- Re: SQL Injection gcb33 (Jun 29)
- Re: SQL Injection Steven M. Christey (Jun 11)
- Re: SQL Injection Alex Russell (Jun 16)
- RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection athena (Jun 17)
- Re: SQL Injection Frank Knobbe (Jun 21)