W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: #520, was: Fwd: Gen-Art review of draft-ietf-httpbis-p2-semantics-24 with security considerations

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 19 Nov 2013 13:12:02 +1100
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
Message-Id: <DE7B23CA-EE5C-41D5-9371-AC59FDC3FC28@mnot.net>
To: Julian Reschke <julian.reschke@gmx.de>

On 19/11/2013, at 4:46 AM, Julian Reschke <julian.reschke@gmx.de> wrote:

>> Section 9.3:  You may want to include information that informs
>> developers and users of SQL injection attacks.  Fields are still
>> included in some URIs that link you to pages directly that contain
>> personal information using consistent identifiers.  It would be helpful
>> as this is still one of the biggest attack vectors.  A quick search on
>> SQL injection URL will provide additional information for inclusion in
>> the write up.  You mention GET-based forms in section 9.3, but it
>> doesn't mention SQL injection attacks and information in the URIs. Since
>> this is so prevalent still, I think it is important to call out explicitly.
> 
> Not convinced. From an HTTP point of view, URIs are just opaque identifiers. Also, there are many kinds of injection attacks. Should we list them all (XML, javascript...)?

+1 - SQL doesn't have anything to do with HTTP, and even though it is used often in conjunction with the protocol, it's an implementation-specific choice. 

For example, I don't use any SQL on my Web site, and am very happy about that :)

Cheers,


--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 19 November 2013 02:12:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC