tags:

views:

436

answers:

2
+2  Q: 

XSS - SQL Injection -- Owasp vs AntiXss Vs Microsoft Anti-Cross Site Scripting Library

Hello,

  • We are looking at using a library to help us detect SQL injections.

  • We are using sprocs and parametrized statements, but for the sake of this post that we are only using some sore of library that detects/ verifies user input.

Whats the best one? Easiest to implement? Easiest to update/manage? Why prefer one over the other?

On a side note:

I've just started using Owasp. with C#. I was hoping that there would be more default rules while validating. When using the isValid function, there are only 5 default rules.

CREDIT_CARD -- Rule name key for the credit card validation rule. DATE -- Rule name key for the date validation rule. DOUBLE -- Rule name key for the double validation rule. INTEGER -- Rule name key for the integer validation rule. PRINTABLE -- Rule name key for the printable validation rule.

I was hoping that there would be more default rules for string SQL Injection Detection.

Thanks

A: 

Using stored procs is a pretty big step in the right direction. What I’d add to that is input validation which it looks like you’re trying to do with the OWASP ESAPI library but it pretty simple to implement by regex in most cases. You should find plenty of publicly available patterns for most untrusted data.

The other thing you might want to do is to apply the principle of least privilege at your data layer. Consider using more than one SQL account and restricting the access of your account(s) used by publicly facing users to the absolute bare minimum functions. You’re using stored procs; try and avoid any datareader or datareader rights if you haven’t already.

More info in OWASP Top 10 for .NET developers part 1: Injection

Troy Hunt  2010-05-25 21:34:13
A: 

I'm using AntiXSS for validating user input - specifically including protection aganist SQL Injection. I've seen a few attacks but nothings gotten through - so seems to work well for me.

Also - Troy knows what he's talking about - His article on the subject is a really good one :)

Adrian K  2010-10-08 03:03:26

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests