WebApp Sec mailing list archives
Re: SQL Injection
From: gcb33 () dial pipex com
Date: Tue, 29 Jun 2004 12:38:45 +0100
F. Little area, from my experience is that you can use it to cross validate users input to the system and the reponse back is correct. (will not validate the request is true, but that response is correct) example follows. Simple example, Banking Application input validation <--> output validation cross check request User input's his account number (for account history for example) The output validation would make sure that the data displayed back to the user is of what was expected of the input requested by the user. I've seen on extreme cases under heavy load components failing on big internet banking platforms, and superreuse data is thrown back, it would be the last trap all case, Of course this would be part of the total validation components of a system Front-Middle-Back etc.....;) Area which i'm investigating of interest were it might be of more use would be of more use is in multilingual sites that have the back-end in ASCII message format mainframe or middleware platforms, say the users input is in Chinese but the back in ASCII, you can see the options for abuse in the system all those conversions and translations sometimes they do and can sneek through. with the output validator you can start trapping bad junk from the systems at hand if needed , not ideal but sometimes needed, my thoughts ;o) J. Quoting Frank Knobbe <frank () knobbe us>:
On Wed, 2004-06-16 at 08:08, Jeff Williams wrote:Output validation is intended to protect against attempts to injectattacksinto the browser. The most important of these is cross-site scripting,whichis covered by the Top Ten A4, and HTML entity encoding is suggested there.I understand the notion of "output validation" doesn't sound very sexy. I also understand that it is considered included in the XSS section of the OWASP guide. But I believe that a lot of folks underestimate or overlook/neglect the area of validating output for safety and fitness of date for displaying in a browser. So I'd like to ask: What can be done to put more educational emphasis and/or awareness to validation output? What are the thoughts of others in this forum? Cheers, Frank
--
Current thread:
- Re: SQL Injection, (continued)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Rogan Dawes (Jun 14)
- Re: SQL Injection David Cameron (Jun 16)
- Re: SQL Injection Sverre H. Huseby (Jun 16)
- Re: SQL Injection Alex Russell (Jun 17)
- Re: SQL Injection Stephen de Vries (Jun 11)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Jeff Williams (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 16)
- Re: SQL Injection Frank Knobbe (Jun 28)
- RE: SQL Injection Mutallip Ablimit (Jun 29)
- Re: SQL Injection gcb33 (Jun 29)
- Re: SQL Injection Alex Russell (Jun 16)
- RE: SQL Injection Clement Dupuis (Jun 14)
- Re: SQL Injection athena (Jun 17)
- Re: SQL Injection Frank Knobbe (Jun 21)