Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [WEB SECURITY] Re: SQL In the Request

from [Jeff Robertson] Network Security [Permanent Link]
Subject: RE: [WEB SECURITY] Re: SQL In the Request
Date: Fri, 6 Oct 2006 08:21:56 -0400 
-----Original Message-----

We've got great APIs for avoiding things like buffer 
overflows and SQL injection, and maybe eventually people will 
be taught to use them from day one.  OTOH, most of the APIs 
I've seen for dealing with HTML don't do a particularly good 
job of preventing HTML injection vulnerabilities.

Are there any well-designed APIs in this area?  What would 
one look like?



The J2EE frameworks like Struts and JSF go a long way, if the developer
can be forced by coding standards to use ONLY the frameworks tags and
not hack around them with scriptlets.

In Struts:

<bean:write name="foo" property="bar" />

Does the same thing as:

<%= foo.getBar() %>

..except that the latter is vulnerable to XSS and the former isn't.

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to 
use AppScan in client engagements. AppScan is the leading Web application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: SQL In the Request, Arian J. Evans
Next by Date:  OWASP Testing Guide v2: let's start! (Call for participation), Matteo Meucci
Previous by Thread:  Re: [WEB SECURITY] Re: SQL In the Request, bryan allott
Next by Thread:  [Full-disclosure] JavaScript Spider (code that can traverse the web), pdp (architect)
Indexes:  [Date] [Thread] [Top] [All Lists]