WebApp Sec mailing list archives

Re: ISA Server and SQL Injection

From: christopher () baus net
Date: Tue, 1 Mar 2005 15:44:41 -0800 (PST)

2. Output validation is much better then Input validation, because most
problems are related to incorrectly encoding input parameters into
output. In addition proper output encoding allows to use critical
characters like < > within the application. This is especially important
in back-office applications.


I don't totally agree with that.  If the input injection allows the
attacker to select a different parameter, it may already be too late for
output validation.  Worse, there maybe nothing the output validator can do
if the result is encoded validly.

Christopher Baus

========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/

Current thread:

Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], (continued)
- - - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
    - Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
    - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
    - Re: ISA Server and SQL Injection christopher (Mar 03)
    - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
    - Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
    - Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)
  - Copying files from one server to another. Eric Boughner (Feb 23)
    - Re: Copying files from one server to another. Michael Sztachanski (Feb 23)
    - RE: Copying files from one server to another. dave kleiman (Feb 23)
    - Re: Copying files from one server to another. David (Feb 23)
- RE: ISA Server and SQL Injection Evans, Arian (Mar 03)
  - Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
  - Input Validation vs. Output Validation (was: ISA Server and SQL Injection) Jeff Williams (Mar 03)

(Thread continues...)