Hi Christopher!
In the area of testing value domains and type checking I agree. But XSS
has in my opinion nothing to do with this.
In case of SQL-Injection when dyamically assembled SQL-strings are used
it is a mix of input and output validation. In case of string parameters
the single quote must be encoded correctly ' -> '' and in case of
numeral parameters they must be parsed to check if the input is really a
numeral type.
In general I think that mechanisms like Java Prepared Statements must be
used to submit SQL-queries. This allows SQL-injection-safe passing of
parameters to the database. Statements where parameters and SQL are
dynamically assembled in a SQL-string should be abolished altogether.
Regards Jan
christopher@baus.net wrote:
2. Output validation is much better then Input validation, because most
problems are related to incorrectly encoding input parameters into
output. In addition proper output encoding allows to use critical
characters like < > within the application. This is especially important
in back-office applications.
I don't totally agree with that. If the input injection allows the
attacker to select a different parameter, it may already be too late for
output validation. Worse, there maybe nothing the output validator can do
if the result is encoded validly.
Christopher Baus
========
Implementing an HTTP proxy?
Consider a fast, secure alternative
http://www.baus.net/
--
_____________________________________________________________
Jan P. Monsch
Compass Security Network Computing AG
Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland
Tel +41 55 214 41 67
Fax +41 55 214 41 61
jan.monsch@csnc.ch
http://www.csnc.ch
PGP: F055 837D 2D86 1C86 C5E0 065C 0D16 B8B3 9E58 71F3
Security Review - Penetration Testing - Computer Forensics
_____________________________________________________________
