[Esapi-dev] Classic ASP's "HomoXSSuality"
Jim Manico
jim.manico at owasp.org
Sat Sep 11 15:12:36 EDT 2010
+1 Jeff. Yet Another Reason why we can't depend on input validation to stop XSS for certain kinds of input. ESAPI contextual output encoding via the OWASP XSS Cheat-sheet will still stop XSS in the face of this weakness.
Jim Manico
jim at manico.net
On Sep 11, 2010, at 8:06 AM, "Jeff Williams" <jeff.williams at aspectsecurity.com> wrote:
> My read on this is that the Classic ASP Request API is returning
> potentially dangerous characters through some sort of built in
> normalization. This is dumb, but...
>
> In ESAPI if these new dangerous characters fail validation, then we're
> safe. If they pass validation, then we'll escape them properly for the
> browser in the Encoder.
>
> I think we're safe here. Thoughts?
>
> --Jeff
>
>
> -----Original Message-----
> From: esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
> Sent: Friday, September 10, 2010 11:30 PM
> To: ESAPI-Developers
> Subject: [Esapi-dev] Classic ASP's "HomoXSSuality"
>
> Giorgio Maone, author of the popular Firefox NoScript extension,
> recently
> (on 8/17/2010) noted some arcane classic ASP that might need to have
> special encoding rules in ESAPI (well, in the Classic ASP ESAPI at
> least).
>
> See this entry of his blog:
>
> <http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality
> />
>
> Not sure if it is something that ESAPI should address or not, so I'll
> let the rest of you debate it.
>
> Enjoy,
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
More information about the Esapi-dev
mailing list