““Input validation is not a great solution for [web application] injection attacks. First, input validation is typically done when the data is received, before the destination is known. That means that we don’t know which characters might be significant in the target interpreter. Second, […] applications must allow potentially harmful characters in. For example, should poor Mr. O’Malley be prevented from registering in the database simply because SQL considers ’ a special character?””
– An excerpt from XSS (Cross Site Scripting) Prevention Cheat Sheet by Jeff Williams and Jim Manico
View full post on Lenny Zeltser on Information Security
Related Posts
- Analysis of the New Adobe Flash Attacks
When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Thos... - alisa-carter.com, lizamoon.com and worid-of-books.com
The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these... - Another round of Asprox SQL injection attacks
The Asprox bot is behind some of the latest SQL injection attacks.
View full post on M86 Security Labs Blog... - Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of AS42560
A spamvertised through Facebook personal messages, Photo Album themed campaign, with the domain IP responding to ZeuS C&Cs, combined with an indirect connection between this campaign and the "100,... - eSoft Uncovers 1.5 Million Sites in SQL Injection Attacks
The eSoft Threat Prevention Team has uncovered an additional 1.5 million sites associated with the newest series of SQL injection attacks. Any compromised sites are very dangerous, infecting the user ... - Some great whitepapers on the Aurora attacks
While the Aurora attacks were a good user awareness situation, it has become a lot of hype and three letter acronyms about something that has been happening for a longer period of time.A few whitepape... - RussKill. Application to perform denial of service attacks
Conceptually speaking, a DoS attack (Denial of Service attack) is basically bombarded with requests for a service or computer resource to saturate and the system can not process more data, so those re... - IME Injection Evolution
Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discov... - Anger after scam-exposing community shut down by Facebook
In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook.
The Bulldog Estate... - Unfollowed Me rogue application spreads virally on Twitter
Once again Twitter users are finding themselves hit by a fast-infecting attack, more commonly encountered by their Facebook-using cousins: a rogue application spreading virally across the network.
Tho...
Posted on 14 November 2010. Tags: Application, Attacks, First, great, Injection, Input, SOLUTION, Validation
