The title might be confusing, let’s see if we can clear it up.
I saw an article the other day that was giving a comparison between encoding, encryption and hashing. There was a statement made that basically said:
Encoding has no security purpose.
I thought this was interesting because when training on security topics we mention encoding for specific use cases. For example, when we discuss Cross-Site Scripting, the answer is output encoding.
I want to clarify that I agree with the statement in the article in that encoding does not provide any type of protections regarding confidentiality or anything like that. There is no data protection there. It does start me thinkng about encoding vs. escaping.
In the example above, regarding XSS, we really are talking about escaping, right? For SQL Injection we would say to escape the data, not encode it. For XSS we are trying to achieve the same goal: Ensure that control characters are not interpreted, but read as data.
The difference is that for SQL we would escape something like a single quote (‘) with two single quotes (”). This tells the Interpreter to treat the single quote as data (like O’Reilly) instead of treating it like a delimiter around data.
However, in the browser we typically encode characters rather than escape them. Instead of returning a (<) character, I would return (<). This tells the browser to display a (<) character on the page rather than treat it as the beginning of an HTML tag.
This leads to some confusion when you are following the rules of the interpreter that uses encoding to escape.
When I teach classes I always use the different terminology when I cover these vulnerabilities. SQL Injection uses escaping. XSS is focused on encoding. In the end, the goal is escaping even though one uses encoding.
This becomes confusing when you want to discuss encoding at a pure level as it tends to have a different meaning depending on the context that you use it.
While encoding and escaping are technically different things, their terms are used almost as one when it comes to things like cross-site scripting. In that context, the encoding actually does provide a security purpose even though it is based on the interpreter the data is being sent to.
Security can be confusing at times. If you have questions or thoughts about application security, I would love to have a conversation around them. Feel free to reach out to me. Let me know what struggles you have when it comes to appsec.