|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [WEB SECURITY] Re: SQL In the Request
From: Jeff Robertson (jeff.robertson
digitalinsight.com)
Date: Fri Oct 06 2006 - 07:21:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> -----Original Message-----
>
> We've got great APIs for avoiding things like buffer
> overflows and SQL injection, and maybe eventually people will
> be taught to use them from day one. OTOH, most of the APIs
> I've seen for dealing with HTML don't do a particularly good
> job of preventing HTML injection vulnerabilities.
>
> Are there any well-designed APIs in this area? What would
> one look like?
>
The J2EE frameworks like Struts and JSF go a long way, if the developer
can be forced by coding standards to use ONLY the frameworks tags and
not hack around them with scriptlets.
In Struts:
<bean:write name="foo" property="bar" />
Does the same thing as:
<%= foo.getBar() %>
..except that the latter is vulnerable to XSS and the former isn't.
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]