[OWASP-GUIDE] Guide Chapter 10 Thoughts
mckenna at bluedot.com
Tue Jan 28 13:25:05 EST 2003
A few other things to consider.
Chapter 11 and Chapter 10 both discuss data input validation.
If we are looking at redoing chapt 10, we should also look
at chapt 11.
I think together these chapters discuss four things.
0) User Input validation and sanitization in
general as a means of preventing a variety of
1) Embedded HTML Tag attacks
(I really feel strongly that this is a better
term than Cross Site Scripting. The original
CERT that describes this attack is actually
called Embedded HTML Tags, not Cross Site
Scripting. I give other reasons in Chapter 11)
The mitigation technique for the above is
user input validation.
2) SQL Injection Attacks
The mitigation technique for this is not user input
validation, it is use of prepared statements to
execute queries, or failing that, data sanitization.
3) OS attacks
> -----Original Message-----
> From: owasp-guide-admin at lists.sourceforge.net
> [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Christopher
> Sent: Tuesday, January 28, 2003 10:15 AM
> To: owasp-guide at lists.sourceforge.net
> Subject: RE: [OWASP-GUIDE] Guide Chapter 10 Thoughts
> I agree that chapter 10 is too general. Perhaps we could ask David if he
> would be willing and able to contribute what he has already written to the
> Guide? His book uses the same license as the Guide, so there are
> few issues
> there, and I have seen him contribute to OWASP/webappsec lists before.
> Plus, his book (as a whole) and his coverage of input validation is
> excellent overall.
> I'm just thinking about conservation of energy here...if David has already
> written an excellent guide to validating user input, let's try to avoid
> duplication of effort.
> > -----Original Message-----
> > From: owasp-guide-admin at lists.sourceforge.net
> > [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Mark
> > Curphey
> > Sent: Tuesday, January 28, 2003 1:05 PM
> > To: owasp-guide at lists.sourceforge.net
> > Subject: [OWASP-GUIDE] Guide Chapter 10 Thoughts
> > I added my authorship to chapter ten last night and realized how
> > inadequate that chapter really is. It really just states the best
> > strategy should be to allow trusted input and reject all others.
> > If you take a look at the great secure development book by David
> > Wheeler (www.dwheeler.com) his chapter on input filtering covers
> > the topic in a more comprehensive and IMHO appropriate way.
> > That said he has a sections on mitigating XSS.
> > Should our Chapter 10 be enhanced (I am offering to do it) to go
> > into detail about stripping specific characters, dealing with URL
> > encoding etc and potentially converge on the work Jeremy Poteet
> > is doing about mitigating specific issues, or should it stay at a
> > high level as input filtering strategies?
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-guide
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
More information about the Owasp-guide