Output Encoding

How does Output Encoding help?

Values received from a data source should only be treated as what it should be (only as data) and nothing else. This means that in an event where something maliscious is passed into a relevant resource, no rendering or unintenional event triggers will happen.

Output Encoding Methods

I. Escape Characters

A string usually beginning with a backslash ("\") followed by a certain encoding or character forcing it to be interpreted differently.

II. HTML Entities

A string that begins with an ampersand ("&") and ends with a semicolon (";"). This is used when generating content with multiple encodings and is particularly useful in displaying reserved characters that are otherwise would be invisible.

III. Data Serialization

This is the process of transforming objects into a data format that can be restored later usually for storage or for transmission of data. It is highly dependent on what programming language you are using since the translation of objects is into what it understands.

TAKEAWAYS

  • This goes hand in hand with Input Validation.

  • When using open source libraries, always check for vulnerabilities and security fixes to make sure that they are always well-maintained.

  • Always be wary of parameters defined by users externally in order to avoid insecure deserialization of objects from malicious sources.

  • Make sure that deserialization is done in a secure channel or low privilege environments as much as possible. This makes lateral movement a bit harder to do.

Last updated