[Owasp-topten] A1 / A2 Review from Sylvan

Neil Smithline owasp-topten at smithline.net
Fri Feb 2 20:50:13 EST 2007


And input validation is a big part of proper error handling. It allows you
to give appropriate errors early on and also can help compensate for sloppy
error checking throughout the code. For example, if lower layers omit error
checking it can lead to vulnerabilities but if the bad input can never make
it to the lower layers, you might have code that is not 100% top-notch but
still doesn't have any vulnerabilities because the missed error checking
cannot be exploited due to the good input validation.

- Neil

On 2/1/07, Dinis Cruz <dinis at ddplus.net> wrote:
>
> the comment 'you don't need validation if you use parameterized queries'
> is spot on, and one that should be made in relation to issues like SQL
> Injections (If I could count the number of security consultants that I have
> heard saying 'to solve this case of SQL Injection just filter/validate your
> inputs'!!!)
>
> now, that said, the point of using validation to detect attacks (and too
> limit the amount of stuff that is processed) is a very good one (especially
> if done in a central location using a global list of all inputs (mapped
> against a white-list of expected data (ala struts (when used properly))).
>
> I would just add that I was involved in a recent project where we used the
> validation errors (in that case RegEx) to detect malicious activity and act
> accordingly.
>
> Dinis Cruz
> Chief OWASP Evangelist,
> http://www.owasp.org
>
>
> On 2/1/07, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
> >
> > > I really don't like the statement that "validation is still
> > recommended in
> > > order to detect attacks". Validation should be used to determine
> > anything
> > > that isn't what we expect, not to try to find attacks."
> >
> > I'd be interested in people's thoughts on this.  Of course there are
> > usability reasons to validate, but let's put those aside for purposes of
> > this discussion.  I'm interested in validation for security reasons.
> >
> > If you can prevent 100% of the attacks from working by using a
> > parameterized interface, doing HTML entity encoding, etc... do you need
> > to validate?  Why?
> >
> > The reason, I believe, is to detect attacks so that you can respond
> > appropriately.  Unfortunately, the vast majority of applications DO NOT
> > detect attacks at all.  You can pound away at them all day and they'll
> > happily respond, "I'm sorry, I didn't understand your request - please
> > try again."
> >
> > If your application receives input that couldn't possibly have been
> > generated by a legitimate user of the system, you should log them off,
> > disable their account, notify someone, and/or take some other action.
> > This would make most attack attempts much more difficult, and prevent
> > vulnerability scanners from even working at all.
> >
> > --Jeff
> > __
> > _______________________________________________
> > Owasp-topten mailing list
> > Owasp-topten at lists.owasp.org
> > http://lists.owasp.org/mailman/listinfo/owasp-topten
> >
>
>
>
> --
>
>
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-topten
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-topten/attachments/20070202/7269ee86/attachment.html 


More information about the Owasp-topten mailing list