Network Security: Detailed info on Re: ISA Server and SQL Injection

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: ISA Server and SQL Injection

from [christopher] Network Security

[Permanent Link]

Subject:	Re: ISA Server and SQL Injection
Date:	Tue, 1 Mar 2005 15:44:41 -0800 (PST)

2. Output validation is much better then Input validation, because most
problems are related to incorrectly encoding input parameters into
output. In addition proper output encoding allows to use critical
characters like < > within the application. This is especially important
in back-office applications.


I don't totally agree with that.  If the input injection allows the
attacker to select a different parameter, it may already be too late for
output validation.  Worse, there maybe nothing the output validator can do
if the result is encoded validly.

Christopher Baus

========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: ISA Server and SQL Injection, Jan P. Monsch Re: ISA Server and SQL Injection, christopher <= Re: ISA Server and SQL Injection, Jan P. Monsch RE: ISA Server and SQL Injection, Evans, Arian Re: ISA Server and SQL Injection, Jan P. Monsch Input Validation vs. Output Validation (was: ISA Server and SQL Injection), Jeff Williams RE: ISA Server and SQL Injection, Evans, Arian Re: ISA Server and SQL Injection, Paul Johnston

Previous by Date:	RE: Filtering by client IP address for Web App Sessions, Evans, Arian
Next by Date:	Dropping connection instead of returning 400, christopher
Previous by Thread:	Re: ISA Server and SQL Injection, Jan P. Monsch
Next by Thread:	Re: ISA Server and SQL Injection, Jan P. Monsch
Indexes:	[Date] [Thread] [Top] [All Lists]