[Owasp-delhi] input / output sanitization
dhar_ar at yahoo.com
dhar_ar at yahoo.com
Mon Feb 1 10:55:46 EST 2010
My 2 paise/cents and bit more ;) :
1. "Could 'sanitization' (input sanitization) be an effective remedy for sql injection ?" - It could help but validation is better for sure for SQL Injection as mentioned by Venkat!
SQL Injection can also be prevented by simple design patterns that act as sanitizors. Example: OR mapping frameworks, Paremeterized stored procs (but deps on the proc), google it man :)
2. "For XSS, which is better, input sanitization or output sanitization ?"
There's already been a lot of discussion on this.
Am not sure what Venkat means by "The same holds good for XSS as well" coz XSS is a different ball game.
You could kill an ant with a bom or you may want to consider OWASP open source tools, Define a security policy that states from a web aspect what is permissable and what isn't and review it with IT / business users.
Plus I wudnt put XSS validation at the data source level so for me its not the same coz having ever changing security policies mixed with low level sanitization would be a pain to mintain.
..Its same in the basic principle of sanitization/validation. But approaching these two problems is different and requires thoght as per requirements.
3. Last but not the least; I don't think "Sanitize/Validate everything even internal" is always right. Just like you don't use "https" for every web page or synchronize every code block of code (overkills) :). One has to look at the domain, requirements, usability, maintainability etc to decide. Idealistically if validation is not costly maybe but practically due to many reasons; maybe not!
Sent from BlackBerry® on Airtel
From: <Venkatesh.Jagannathan at cognizant.com>
Date: Mon, 1 Feb 2010 11:25:28
To: <sureshtiwary at rediffmail.com>; <owasp-delhi at lists.owasp.org>
Subject: Re: [Owasp-delhi] input / output sanitization
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
More information about the Owasp-delhi