[Owasp-topten] A1 / A2 Review from Sylvan
dinis at ddplus.net
Thu Feb 1 22:21:03 EST 2007
the comment 'you don't need validation if you use parameterized queries' is
spot on, and one that should be made in relation to issues like SQL
Injections (If I could count the number of security consultants that I have
heard saying 'to solve this case of SQL Injection just filter/validate your
now, that said, the point of using validation to detect attacks (and too
limit the amount of stuff that is processed) is a very good one (especially
if done in a central location using a global list of all inputs (mapped
against a white-list of expected data (ala struts (when used properly))).
I would just add that I was involved in a recent project where we used the
validation errors (in that case RegEx) to detect malicious activity and act
Chief OWASP Evangelist,
On 2/1/07, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
> > I really don't like the statement that "validation is still
> recommended in
> > order to detect attacks". Validation should be used to determine
> > that isn't what we expect, not to try to find attacks."
> I'd be interested in people's thoughts on this. Of course there are
> usability reasons to validate, but let's put those aside for purposes of
> this discussion. I'm interested in validation for security reasons.
> If you can prevent 100% of the attacks from working by using a
> parameterized interface, doing HTML entity encoding, etc... do you need
> to validate? Why?
> The reason, I believe, is to detect attacks so that you can respond
> appropriately. Unfortunately, the vast majority of applications DO NOT
> detect attacks at all. You can pound away at them all day and they'll
> happily respond, "I'm sorry, I didn't understand your request - please
> try again."
> If your application receives input that couldn't possibly have been
> generated by a legitimate user of the system, you should log them off,
> disable their account, notify someone, and/or take some other action.
> This would make most attack attempts much more difficult, and prevent
> vulnerability scanners from even working at all.
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-topten