WebApp Sec mailing list archives

Re: ISA Server and SQL Injection

From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Tue, 01 Mar 2005 22:36:43 +0100

Hi there!

I have lots of discussions with customers regarding the issue ofperimeter application filters. May conclusion regarding the issue is asfollows:

1. Validation in the application itself is the best and most efficientway of handling code injection problems. Because the application knowsabout its domain but the gateway filter not. In addition the applicationcan provide appropriate error messages for incorrect input.

2. Output validation is much better then Input validation, because mostproblems are related to incorrectly encoding input parameters intooutput. In addition proper output encoding allows to use criticalcharacters like < > within the application. This is especially importantin back-office applications.

3. Output validation should be handled in a security framework, built bya security expert. It must be implemented such that the businessdeveloper has not to worry about encoding stuff. (I know this is a idealworld szenario)

4. In may opinion validation on the gateway does only make sense if itused in a transitional way until input/output validation in theapplication has been implemented or it is used as a part of intrusiondetection.


Regars Jan

Current thread:

Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], (continued)
- - - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
    - Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
    - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
    - Re: ISA Server and SQL Injection christopher (Mar 03)
    - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
    - Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
    - Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)
  - Copying files from one server to another. Eric Boughner (Feb 23)
    - Re: Copying files from one server to another. Michael Sztachanski (Feb 23)
    - RE: Copying files from one server to another. dave kleiman (Feb 23)
    - Re: Copying files from one server to another. David (Feb 23)
- RE: ISA Server and SQL Injection Evans, Arian (Mar 03)
  - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)

(Thread continues...)