logoalt Hacker News

zmmmmmlast Sunday at 12:10 AM1 replyview on HN

This is a fantastic way of framing it, in terms of simple fundamental principles.

The problem with most presentations of injection attacks is it only inspires people to start thinking of broken workarounds - all the things mentioned in the article. And they really believe they can do it. Instead, as put here, we have to start from a strong assumption that we can't fix a breakage of the lethal trifecta rule. Rather, if you want to break it, you have to analyse, mitigate and then accept the irreducible risk you just incurred.


Replies

Terr_last Sunday at 8:46 AM

> The problem with most presentations of injection attacks is it only inspires people to start thinking of broken workarounds - all the things mentioned in the article. And they really believe they can do it.

They will be doomed to repeat the mistakes of prior developers, who "fixed" SQL injections at their companies with kludges like rejecting input with suspicious words like "UPDATE"...