[OWASP-GUIDE] Guide Chapter 10 Thoughts

Gene McKenna mckenna at bluedot.com
Tue Jan 28 13:25:05 EST 2003


A few other things to consider.

Chapter 11 and Chapter 10 both discuss data input validation.
If we are looking at redoing chapt 10, we should also look
at chapt 11.

I think together these chapters discuss four things.

	0) User Input validation and sanitization in
	   general as a means of preventing a variety of
	   known problems.

	1) Embedded HTML Tag attacks

	   (I really feel strongly that this is a better
	    term than Cross Site Scripting. The original
	    CERT that describes this attack is actually
	    called Embedded HTML Tags, not Cross Site
	    Scripting. I give other reasons in Chapter 11)

	    The mitigation technique for the above is
	    user input validation.

	2) SQL Injection Attacks

	   The mitigation technique for this is not user input
	   validation, it is use of prepared statements to
	   execute queries, or failing that, data sanitization.

	3) OS attacks

GENE


> -----Original Message-----
> From: owasp-guide-admin at lists.sourceforge.net
> [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Christopher
> Todd
> Sent: Tuesday, January 28, 2003 10:15 AM
> To: owasp-guide at lists.sourceforge.net
> Subject: RE: [OWASP-GUIDE] Guide Chapter 10 Thoughts
>
>
> Mark,
>
> I agree that chapter 10 is too general.  Perhaps we could ask David if he
> would be willing and able to contribute what he has already written to the
> Guide?  His book uses the same license as the Guide, so there are
> few issues
> there, and I have seen him contribute to OWASP/webappsec lists before.
> Plus, his book (as a whole) and his coverage of input validation is
> excellent overall.
>
> I'm just thinking about conservation of energy here...if David has already
> written an excellent guide to validating user input, let's try to avoid
> duplication of effort.
>
> Chris
>
> > -----Original Message-----
> > From: owasp-guide-admin at lists.sourceforge.net
> > [mailto:owasp-guide-admin at lists.sourceforge.net]On Behalf Of Mark
> > Curphey
> > Sent: Tuesday, January 28, 2003 1:05 PM
> > To: owasp-guide at lists.sourceforge.net
> > Subject: [OWASP-GUIDE] Guide Chapter 10 Thoughts
> >
> >
> > I added my authorship to chapter ten last night and realized how
> > inadequate that chapter really is. It really just states the best
> > strategy should be to allow trusted input and reject all others.
> >
> > If you take a look at the great secure development book by David
> > Wheeler (www.dwheeler.com) his chapter on input filtering covers
> > the topic in a more comprehensive and IMHO appropriate way.
> >
> > That said he has a sections on mitigating XSS.
> >
> > Should our Chapter 10 be enhanced (I am offering to do it) to go
> > into detail about stripping specific characters, dealing with URL
> > encoding etc and potentially converge on the work Jeremy Poteet
> > is doing about mitigating specific issues, or should it stay at a
> > high level as input filtering strategies?
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by:
> > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> > http://www.vasoftware.com
> > _______________________________________________
> > Owasp-guide mailing list
> > Owasp-guide at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/owasp-guide
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide





More information about the Owasp-guide mailing list