Monday, August 15, 2011

The C14N challenge

Failing to properly validate input data is behind at least half of all application security problems. In order to properly validate input data, you have to start by first ensuring that all data is in the same standard, simple, consistent format – a canonical form. This is because of all the wonderful flexibility in internationalization and data formatting and encoding that modern platforms and especially the Web offer. Wonderful capabilities that attackers can take advantage of to hide malicious code inside data in all sorts of sneaky ways.

Canonicalization is a conceptually simple idea: take data inputs, and convert all of it into a single, simple, consistent normalized internal format before you do anything else with it. But how exactly do you do this, and how do you know that it has been done properly? What are the steps that programmers need to take to properly canonicalize data? And how do you test for it? This is where things get fuzzy as hell.

To read my latest post on canonicalization problems (and the search for solutions), go to the SANS Application Security blog.


1 comment:

cityspideyseo said...

CitySpidey is India's first and definitive platform for hyper local community news, RWA Management Solutions and Account Billing Software for Housing Societies. We also offer air quaity index and residential soceity news of Noida, Dwarka, Indirapuram, Gurgaon and Faridabad. You can place advertisement for your business on city spidey.

Gate Management System
Society Management App
Society Management
rwa Management App
Neighbourhood Management App
Apartment Management App
Apartment Management System
Visitors Management System
Apartment Management Software
Air Quality Index, Air Pollution
Noida News
Gurgaon News
Ghaziabad News
Delhi News
Indirapuram News
Dwarka News

Site Meter