Summary

Previous page
Table of content
Next page

Making security decisions based only on a name is a bad idea! As you have read, a value might be represented many ways in an equivalent format. If parsers do not handle values in their simplest forms, applications will have canonicalization issues. We have seen developers attempt to fix canonicalization bugs by adding another special case to look for when parsing; that is the wrong approach because it is extremely hard to catch all cases using that method.

Developers can avoid most canonicalization issues in their applications if they list the characters that are allowed rather than using a block list to block the bad characters . If you know specifically the input your application should allow, make sure it accepts only that input andrejects all else. Trying to block known bad input is more than likely to be error prone because the developer probably does not know the many different ways bad input can be represented, and any filters could be bypassed.


Previous page
Table of content
Next page
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Tom Gallagher, Lawrence Landauer, Bryan Jeffries
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
The .NET Developers Guide to Directory Services Programming
WebLogic: The Definitive Guide
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Ruby Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy