Page 3 of 13. Showing 123 results (0.035 seconds)

  1. Re: ERR01-J. Do not allow exceptions to expose sensitive information

    that is used in the Exception Shielding pattern. In the deny model, specific exceptions are registered to be sanitized, and all other exceptions are sent back to the client unmodified. However, the deny model is considered less secure, because unanticipated exceptions are not sanitized. This would be simple to incorporate
  2. Re: IDS33-PL. Sanitize untrusted data passed across a trust boundary

    A handy tool for performing data sanitizations of all stripe, in a consistent way that can be made part of an enterprise coding standard, is the Tie::Function module from CPAN. One can create consistent sanitization syntax by a sanitizer module that ties and then exports things that look like, for instance %H for Html
  3. Re: IDS03-J. Do not log unsanitized user input

    your code should do nothing differently than today, but the logger itself automatically sanitizes log data. However, that would prevent an attacker from creating a fake log message. It would not prevent other bad usernames such as "your mom". Sanitizing something that should be a valid username should definitely
  4. Re: IDS14-J. Do not trust the contents of hidden form fields

    sanitize method and that it catches everything? Don't we give advise elsewhere not to develop custom sanitization methods and instead use methods that are provided … of the NCE/CS and just define it in the intro or something and show it as neutral. Maybe we can have another rule somewhere else that says "sanitize HTML
  5. Re: IDS03-J. Do not log unsanitized user input

    logging API's is to abstract you from the complexities of property sanitizing, serializing and storing of log entries. Because of this your logging framework … log used data without your knowledge and before you even get a chance to validate it. There for the code to sanitize the logging data should not be messed up
  6. Re: IDS00-J. Prevent SQL injection

    of sanitization. Schema validation has the charm that it is different from the PreparedStatement approach. As you point out, using DOM (or StAX or SAX) to build the XML … . The normative portion of this rule is: "Such data must be sanitized both because the subsystem may be unprepared to handle the malformed input and because unsanitized
  7. IDS03-J. Do not log unsanitized user input

    a carriage return and line feed (CRLF) sequence to mislead an auditor. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent … data sanitization. if (loginSuccessful) { logger.severe("User login succeeded for: " + username); } else { logger.severe("User login failed for: " + username
  8. Taint Analysis

    by amounts proportional to the number of iterations of the loop. Sanitization To remove the taint from a value, the value must be sanitized to ensure that it is in the defined domain of any restricted sink into which it flows. Sanitization is performed by replacement or termination. In replacement, out-of-domain values
  9. Re: IDS51-J. Properly encode or escape output

    In the intro section, we talk about output sanitization and not output filtering. i'm guessing these two concepts are the same and we should use the term "sanitization" for consistency.
  10. Re: ERR01-J. Do not allow exceptions to expose sensitive information

    From Sun's secure coding guidelines doc - Do not sanitize exceptions containing information derived from caller inputs. If a caller provides the name of a file to be opened, for example, do not sanitize any resulting FileNotFoundException thrown when attempting to open that file. Unsure if the exception handler can