25
web APPlICAtIon AttACk surFACe
else
{
die('Unsupported Page Request.');
}
?>
Here an array of acceptable page requests serves as a lookup table for incoming redi-
rect requests. It applies indirection via a lookup value which is carried in the GET
request. If the lookup succeeds, then we allow the redirect to occur using the value
from the lookup table and not the direct user-supplied value. Table lookups in this
manner are a valuable tool for adding security in depth.
eory of Input Filtering and Output Escaping
Data is now processed differently than it was in the era of compiled desktop apps.
eprocessing of both input and output is done via text interpreters that function dif-
ferently based on context. ere is the PHP parser, the MySQL pars ...