[langsec-discuss] WYSINWYG - a (mostly) langsec vulnerability category
Meredith L. Patterson
clonearmy at gmail.com
Tue Dec 2 22:20:04 UTC 2014
On Tue, Dec 2, 2014 at 8:36 PM, <travis+ml-langsec at subspacefield.org> wrote:
> On Tue, Dec 02, 2014 at 11:05:00AM -0800, Will Sargent wrote:
> > Would "parse tree differential attack" overlap with this category as
> > http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=6553401
> Full Text Here?
Yup, that's the technical report version of the IEEE paper.
BTW, what do you & langsec think of this?
> Using parse tree validation to prevent SQL injection attacks (2005)
Discussed in the paper above, actually. We made the same argument you do --
that attempting to recognise an SQL dialect using a "generic" SQL dialect
opens up room for parse tree differential attacks much like how the X.509
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss