I don't really care about Scheme or SXML so much as I care about the technique of getting away from raw strings, and only using immutable data with clear semantic meaning -- what the DDD community calls a value object. I think it's sad that input validation is still at the "tainted bit" stage.
I talked a bit about using Scala value classes < http://docs.scala-lang.org/overviews/core/value-classes.html> as value objects in http://tersesystems.com/2012/12/16/problems-scala-fixes/. In particular, the string interpolation technique you mention in your blog post -- you can do custom code transformations in Scala to turn it into a StringContext and do safe transformation of data: http://docs.scala-lang.org/overviews/core/string-interpolation.html So if I had to talk about practice: * Transform untrusted input into value objects on input. * Don't accept non-value object input in your internal APIs * Use transformations with implicit type class patterns to do interpolation to an export format. Will. On Fri, Nov 22, 2013 at 9:54 AM, Peter Bex <[email protected]> wrote: > On Fri, Nov 22, 2013 at 09:05:44AM -0800, Will Sargent wrote: > > I'm theoretically interested in theoretical papers, but as an engineer, > I'm > > continually frustrated that most of the focus in security seems to be on > > exploits and breaking things, rather than on techniques and tools that > can > > be used for hardening and preventing attacks. > > Amen to that! > > > I'm moving around my security website at http://hardenwebapps.com/ to be > > more focused on tools and techniques vs just listing out the attacks and > > "how to get pwned" exploits, but I don't find XSS attacks or fuzzing > > intrinsically interesting. I'd be more interested in a tool that made > XSS > > / fuzzing attacks impossible. > > That's a useful site, I'll keep it around for reference. By the way, > have you considered adding a section about Scheme/SXML to the XSS and > SQL injection page? Haskell and other typed languages are interesting > as well, since typing is a simple way to prevent non-HTML/SQL strings > from being entered into HTML/SQL (this can be emulated with dynamic > but strictly typed languages like Scheme or Ruby as well, but it's a > little more cumbersome). > > Partly out of the same frustration you have with the security industry's > focus on "today's hottest exploits", I wrote an article a while ago > which discusses the ways in which injection attacks can be prevented > properly, and how to *pervasively* prevent such attacks in software: > http://www.more-magic.net/posts/structurally-fixing-injection-bugs.html > > Originally that post opened with a rant about the focus on exploits, but > I decided to scrap it and keep the one line at the start :) If you'd > like more info about SXML or other things I discussed, let me know and > I'd gladly provide some examples. > > Cheers, > Peter Bex > -- > http://www.more-magic.net >
_______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
