Dinis Cruz wrote:
> After my explanations in this email do you still think that this is
> correct? Or can you accept now that it is possible to build a Sandboxed
> environment that is able to protect against the majority of the serious
> security issues that affect web apps today?
>
> If you do
Dinis Cruz wrote:
> If you do accept that it is possible to build such sandboxes, then we
> need to move to the next interesting discussion, which is the 'HOW'
>
> Namely, HOW can an environment be created where the development and
> deployment of such Sandboxes makes business sense.
It's the "b
Hi Dinis,
On 24 May 2006, at 05:34, Dinis Cruz wrote:
In the solution that I am envisioning, you will have multiple
Sandboxes, one inside the other, separated by very clearly defined
layers (the input choke points / attack surface) where each sandbox
is allocated privileges accordingly
Dinis,
Sandboxing prevents a machine from having bad system() and buffer
overflows causing system compromise. Sure that's bad enough. However,
sandboxing does not prevent:
* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar Orac
(sorry for the long time that it took for this response, see comments
inline)
Stephen de Vries wrote:
Hi Dinis,
I think you're overestimating the effectiveness of a sandbox in
preventing common web app vulnerabilities, and you're instead
focussing on the tiny fraction of specific attacks tha
