Sunday, March 25, 2007
Cohen on Howard: Chapters 12 to 14
Chapters 12 to 14 deal with more canonicalization issues: database input, web input and internationalization via Unicode.
Cohen:
I dispute that these sections are not useful: they cover real-world attacks and tell you how to prevent them. This is much more actionable than saying "input validation and canonicalization issues exist in the web and database environments as well."
Cohen:
If you accept that canonicalization is a security issue, how is internationalization canonicalization not a security issue?
Cohen:
Chapters 12 and 13 are the same thing as chapter 11, repeated in the context of databases and web servers. In other words, they only give more examples of the same mistakes producing the same sorts of errors in different application environments. Useful for those who didn't get it the first 10 times, redundant for the rest of us.
I dispute that these sections are not useful: they cover real-world attacks and tell you how to prevent them. This is much more actionable than saying "input validation and canonicalization issues exist in the web and database environments as well."
Cohen:
Finally, thankfully, chapter 14 tells us to use Unicode for representing everything. Of course this is based on internationalization issues, not security issues, and ends this section of the book. After 325 pages, I found myself wanting more for less.
If you accept that canonicalization is a security issue, how is internationalization canonicalization not a security issue?
