WebApp Sec mailing list archives

Re: SQL Injection

From: gcb33 () dial pipex com
Date: Tue, 29 Jun 2004 12:38:45 +0100

F.

Little area, from my experience is that you can use it to cross validate  users
input to the system and the reponse back is correct. (will not validate the
request is true, but that response is correct) example follows.

Simple example,
Banking Application 
input validation <--> output validation cross check request

User input's his account number (for account history for example) The output
validation would make sure that the data displayed back to the user is of what
was expected of the input requested by the user. 

I've seen on extreme cases under heavy load components failing on big internet
banking platforms, and superreuse data is thrown back, it would be the last trap
all case, Of course this would be part of the total validation components of a
system Front-Middle-Back etc.....;) 

Area which i'm investigating of interest were it might be of more use would be
of more use is in multilingual sites that have the back-end in ASCII message
format mainframe or middleware platforms, 

say the users input is in Chinese but the back in ASCII, you can see the options
for abuse in the system all those conversions and translations sometimes they do
and can sneek through.

with the output validator you can start trapping bad junk from the systems at
hand if needed , not ideal but sometimes needed, 

my thoughts 

;o)
J.



Quoting Frank Knobbe <frank () knobbe us>:

On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:

Output validation is intended to protect against attempts to inject

attacks

into the browser. The most important of these is cross-site scripting,

which

is covered by the Top Ten A4, and HTML entity encoding is suggested there.


I understand the notion of "output validation" doesn't sound very sexy.
I also understand that it is considered included in the XSS section of
the OWASP guide. But I believe that a lot of folks underestimate or
overlook/neglect the area of validating output for safety and fitness of
date for displaying in a browser.

So I'd like to ask: What can be done to put more educational emphasis
and/or awareness to validation output? What are the thoughts of others
in this forum?

Cheers,
Frank

--

Current thread:

Re: SQL Injection, (continued)
- - Re: SQL Injection Stephen de Vries (Jun 11)
    - Re: SQL Injection Rogan Dawes (Jun 14)
    - Re: SQL Injection David Cameron (Jun 16)
    - Re: SQL Injection Sverre H. Huseby (Jun 16)
    - Re: SQL Injection Alex Russell (Jun 17)
    - Re: SQL Injection Frank Knobbe (Jun 16)
    - Re: SQL Injection Jeff Williams (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 16)
    - Re: SQL Injection Frank Knobbe (Jun 28)
    - RE: SQL Injection Mutallip Ablimit (Jun 29)
    - Re: SQL Injection gcb33 (Jun 29)
    - Re: SQL Injection Alex Russell (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 14)
  - RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection Stephen de Vries (Jun 17)
  - Re: SQL Injection athena (Jun 17)
  - Re: SQL Injection Frank Knobbe (Jun 21)