RE: Input validation

I rather like the approach of performing "boundary quoting" (I don't think this was the original description, but it serves well enough).

The idea is that you make sure to appropriately "escape" all data crossing boundaries between systems.

For example, when formulating a SQL query based on data received from the browser, make sure to escape any quote characters.

When writing data out to the browser, make sure to escape any angle brackets as HTML entities.

When writing data out to an XML stream, make sure to escape any angle brackets, ampersands.

When writing out data to an error log, make sure to escape any embedded carriage returns, or other control characters, spaces, etc that could cause problems when automatically parsing the file (or even manually reading it c.f. xterm escape codes).

That way, you can still operate with the "malformed" data, and have audit trails that show what was really submitted. You can always decide not to continue processing, but the data will remain just that - data - and not cross the line into "metadata" (HTML code, line separators, SQL injections, XSS, etc)

This can have a downside in terms of performance, but in terms of correctness, I think it is a better approach.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So, if as a different poster asked, you need to allow some tags, and disallow others, your HTML output quoting function would need to implement selective quoting (preferably from a white-list, with specific allowed tag-attributes, with the tag attributes appropriately quoted, etc.

Rogan

> -----Original Message-----
> From: Kooper, Larry [mailto:Larry.Kooper@metmuseum.org]
> Sent: 19 June 2003 07:39 PM
> To: 'webappsec@securityfocus.com'
> Subject: Input validation
>
>
> I am a newbie to this list - apologies if this question is

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Fri Jun 20 08:40:03 2003