WebApp Sec mailing list archives
Re: ISA Server and SQL Injection
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Tue, 01 Mar 2005 22:36:43 +0100
Hi there!I have lots of discussions with customers regarding the issue of perimeter application filters. May conclusion regarding the issue is as follows:
1. Validation in the application itself is the best and most efficient way of handling code injection problems. Because the application knows about its domain but the gateway filter not. In addition the application can provide appropriate error messages for incorrect input.
2. Output validation is much better then Input validation, because most problems are related to incorrectly encoding input parameters into output. In addition proper output encoding allows to use critical characters like < > within the application. This is especially important in back-office applications.
3. Output validation should be handled in a security framework, built by a security expert. It must be implemented such that the business developer has not to worry about encoding stuff. (I know this is a ideal world szenario)
4. In may opinion validation on the gateway does only make sense if it used in a transitional way until input/output validation in the application has been implemented or it is used as a part of intrusion detection.
Regars Jan
Current thread:
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], (continued)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
- Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
- Re: ISA Server and SQL Injection christopher (Mar 03)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
- Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
- Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)
- Re: Copying files from one server to another. Michael Sztachanski (Feb 23)
- RE: Copying files from one server to another. dave kleiman (Feb 23)
- Re: Copying files from one server to another. David (Feb 23)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)