Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Injection — It's Not Just For SQL Anymore

Posted by ryuzaki0 on from the injections-that-aren't-fun dept.

nywanna writes "When most people think of malicious injection, they think of SQL injection. The fact is, if you are using XML documents or an LDAP directory, you are just as vulnerable to a malicious injection as you would be using SQL. Bryan Sullivan looks at the different types of malicious code injections and examines the very basics of preventing these injections."

7 of 119 comments (clear)

  1. Old news by kill-1 · · Score: 3, Insightful

    Shell scripts have been vulnerable to similar "injection" exploits since the invention of CGI.

  2. More old news by spellraiser · · Score: 3, Insightful

    From TFA:

    The only real way to defend against all malicious code injection attacks is to validate every input from every user.

    Seems simple enough, but it's amazing how often this is ignored or implemented badly.

    --
    I hear there's rumors on the Slashdots
  3. Validate this by gigne · · Score: 4, Insightful
    FTA
    RE: validating input fields...
    To be completely thorough, a developer should set up both white- and blacklists in order to cover all bases.

    I can't help but feel that most developers have at least a little common sense and do something along those lines anyway.
    I often write little validate_input(char *string, char *format) that checks all input string from a user are simple, but more often than not very effective. How is this any different from using white and black lists. Any coder worth their salt would do something to stop malicious input, but no one in completely infallible.

    Security of anything in this world is near on impossible. Hackers will get around anything given time.
    --
    Signature v3.0, now with 42% less memory usage.
  4. Re:It may sound trite, but... by bdigit · · Score: 4, Insightful

    Um you can just as easily reverse engineer a mysql or postgresql database through sql injection attacks also. What's your point?

  5. Re:XML Logic Is Flawed by Ant+P. · · Score: 3, Insightful

    Yeah, but XPath can be done server-side just like SQL.

  6. Re:XML Logic Is Flawed by CowboyBob500 · · Score: 3, Insightful

    But not over an XML representation of the entire damn customer orders table. That's insane.

    Bob

    --
    Listen to my latest album here
  7. Re:Ignorance by bluebox_rob · · Score: 4, Insightful

    I think you're right - as long as you are sure that you know what's going to be done with the data after its been written away to your database. You might have your escaping/quoting routine solidly implemented for all inputs to your system, but the trainee down the hall who writes the reporting application that parses the table once a month might not be so savvy - the cunningly crafted SQL injection attack that your quoting has preserved and saved away into the db could wreak havoc when it gets read out again at the other end. The same goes for any HTML/XML that has been saved away, and then gets blindly written out by a web developer on the Order Summary page, or merged into some larger XML document without proper checks.

    I suppose an apt analogy would be saying that it's ok to allow infectious material into a building as long as it is first correctly sealed in a bio-safe container - well that's true as long as you're sure the janitor isn't going to open it up later that evening and use it for a cookie jar.