More Than 22,000 Vulns Were Disclosed in 2018, 27% ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

ChadF3,
User Rank: Apprentice
3/4/2019 | 5:34:35 PM

Not about validation

Issues like SQL/script injection and XSS are not really a problem with input validation, but a lack of proper quoting/escaping of arbatrary data during its use. Yes, input validation can limit/mitigate some attacks, but this also tightly couples the input code and processing code (e.g. the input side assumes SQL queries are used at some point, and the query side code assumes input validation have done for all potential sources).

In general, providing an input with an apostrophe should be considered valid, even if the backend uses this value in an SQL query (as the real data being search may have such values, e.g. Name: O'Neill). If I include the text "<grin>" with-in some online forum post/comment, it shouldn't be rejected/removed for no-HTML input fields, but be treated as verbatuim text that is properly escaped in output HTML.

Input validation should normally only be done for specific business logic (e.g. usernames are limited to ASCII letters/numbers and must start with a letter), or general sanity checks (e.g. only ASCII; only valid UTF-8 encoded strings; doesn't contain invalid UNICODE composed sequences; no embedded NUL characters [when using length specified strings]).

Reply | Post Message | Messages List | Start a Board

50%

Joe Stanganelli,
User Rank: Ninja
2/28/2019 | 6:31:14 PM

No fixes

Moreover, researchers are often incentivized against responsible disclosure simply because the companies won't even listen to them and give them the time of day -- unless it gets national media attention. (Examples: Panera, Apple FaceTime bug, Facebook, etc.)

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

44% of Security Threats Start in the Cloud

Kelly Sheridan, Staff Editor, Dark Reading, 2/19/2020

California Man Arrested for Politically Motivated DDoS

Dark Reading Staff 2/21/2020

Zero-Factor Authentication: Owning Our Data

Nick Selby, Chief Security Officer at Paxos Trust Company, 2/19/2020

Live Events

Webinars

March 16-19, 2020: Data Center World Registration is open! Join Us

Data Center World: The leading conference & expo for Data Center and IT Infrastructure Professionals. Register Today!

Get Insights: Cisco vs Microsoft & More at EC20 Orlando

More Informa Tech Live Events

White Papers

Let's Talk: Why Language Matters in Cybersecurity

6 Emerging Cyber Threats That Enterprises Face in 2020

Digital Transformation Built on the Cloud

Data Protection: Verify Anything and Everything

Apex Report: Global Cyber Infection

More White Papers

Video

All Videos

Cartoon

Latest Comment: He said XP and 7 are both insecure? And Server 2003 and 2008 also? Can't have him saying those things! We don't have any ...

Cartoon Archive

Current Issue

6 Emerging Cyber Threats That Enterprises Face in 2020

This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

How Enterprises Are Developing and Maintaining Secure Applications

The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.

Download Now!

How Enterprises are Attacking the Cybersecurity Problem

0 comments

How Data Breaches affect the Enterprise

0 comments

Rethinking Enterprise Data Defense

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-9405
PUBLISHED: 2020-02-26

IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.

CVE-2020-9406
PUBLISHED: 2020-02-26

IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.

CVE-2020-9407
PUBLISHED: 2020-02-26

IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.

CVE-2020-9398
PUBLISHED: 2020-02-25

ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.

CVE-2015-5201
PUBLISHED: 2020-02-25

VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]