Dinis Cruz wrote:
> After my explanations in this email do you still think that this is
> correct? Or can you accept now that it is possible to build a Sandboxed
> environment that is able to protect against the majority of the serious
> security issues that affect web apps today?
>
> If you do
Dinis Cruz wrote:
> If you do accept that it is possible to build such sandboxes, then we
> need to move to the next interesting discussion, which is the 'HOW'
>
> Namely, HOW can an environment be created where the development and
> deployment of such Sandboxes makes business sense.
It's the "b
Dinis,
Sandboxing prevents a machine from having bad system() and buffer
overflows causing system compromise. Sure that's bad enough. However,
sandboxing does not prevent:
* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar Orac