WebApp Sec mailing list archives
Re: ISA Server and SQL Injection
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Thu, 03 Mar 2005 00:27:29 +0100
Hi Christopher!In the area of testing value domains and type checking I agree. But XSS has in my opinion nothing to do with this.
In case of SQL-Injection when dyamically assembled SQL-strings are used it is a mix of input and output validation. In case of string parameters the single quote must be encoded correctly ' -> '' and in case of numeral parameters they must be parsed to check if the input is really a numeral type.
In general I think that mechanisms like Java Prepared Statements must be used to submit SQL-queries. This allows SQL-injection-safe passing of parameters to the database. Statements where parameters and SQL are dynamically assembled in a SQL-string should be abolished altogether.
Regards Jan christopher () baus net wrote:
2. Output validation is much better then Input validation, because most problems are related to incorrectly encoding input parameters into output. In addition proper output encoding allows to use critical characters like < > within the application. This is especially important in back-office applications.I don't totally agree with that. If the input injection allows the attacker to select a different parameter, it may already be too late for output validation. Worse, there maybe nothing the output validator can do if the result is encoded validly. Christopher Baus ======== Implementing an HTTP proxy? Consider a fast, secure alternative http://www.baus.net/
-- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG Glärnischstrasse 7, CH-8640 Rapperswil, Switzerland Tel +41 55 214 41 67 Fax +41 55 214 41 61 jan.monsch () csnc ch http://www.csnc.ch PGP: F055 837D 2D86 1C86 C5E0 065C 0D16 B8B3 9E58 71F3 Security Review - Penetration Testing - Computer Forensics _____________________________________________________________
Current thread:
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection], (continued)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
- Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
- Re: ISA Server and SQL Injection christopher (Mar 03)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
- Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
- Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)
- Re: Copying files from one server to another. Michael Sztachanski (Feb 23)
- RE: Copying files from one server to another. dave kleiman (Feb 23)
- Re: Copying files from one server to another. David (Feb 23)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
- Input Validation vs. Output Validation (was: ISA Server and SQL Injection) Jeff Williams (Mar 03)