[Esapi-dev] Classic ASP's "HomoXSSuality"
Jim Manico
jim.manico at owasp.org
Sat Sep 11 15:15:47 EDT 2010
> On a related not - is anyone aware of any tool to build a language agnostic set of tests that can be applied to a codebase?
IDL (interface description language) - I totally support this cross-language unit test plan.
Jim Manico
jim at manico.net
On Sep 11, 2010, at 8:40 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
> I think it would be worthwhile to run this through a good test case - I unfortunately do not have any classic asp environment setup to test this at this point in time, but if anyone does and could add a test for this case it would be good.
>
> My first thought would be selenium, which may be the right answer but will require a full working environment and swingset type app for each language. Ultimately what I want to be able to do, is build a test suite that can be run against all implementations of the ESAPI and make sure that behavior is the same across all of them. This will become fairly important as the project continues to mature, and was one of the issues that I heard more than once while talking to people at AppSecUSA - there is concern that things are getting fixed in the Java version and not getting resolved in the other ESAPI versions (particularly .net in this case)
>
> I think this is a very valid concern and something that will become more important as the project continues to get more and more adopters and integration into enterprise applications. People with large enterprise applications are apt to have several applications in several languages - I know personally at ServiceMagic we have apps in Java, .Net, and PHP and it would be nice to feel good that no matter which app I was using the results of implementing the ESAPI in any of them would be the same.
>
> On Sat, Sep 11, 2010 at 12:06 PM, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:
> My read on this is that the Classic ASP Request API is returning
> potentially dangerous characters through some sort of built in
> normalization. This is dumb, but...
>
> In ESAPI if these new dangerous characters fail validation, then we're
> safe. If they pass validation, then we'll escape them properly for the
> browser in the Encoder.
>
> I think we're safe here. Thoughts?
>
> --Jeff
>
>
> -----Original Message-----
> From: esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
> Sent: Friday, September 10, 2010 11:30 PM
> To: ESAPI-Developers
> Subject: [Esapi-dev] Classic ASP's "HomoXSSuality"
>
> Giorgio Maone, author of the popular Firefox NoScript extension,
> recently
> (on 8/17/2010) noted some arcane classic ASP that might need to have
> special encoding rules in ESAPI (well, in the Classic ASP ESAPI at
> least).
>
> See this entry of his blog:
>
> <http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality
> />
>
> Not sure if it is something that ESAPI should address or not, so I'll
> let the rest of you debate it.
>
> Enjoy,
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
>
> --
> Chris Schmidt
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
> Yet Another Developers Blog
> http://yet-another-dev.blogspot.com
>
> Bio and Resume
> http://www.digital-ritual.net/resume.html
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100911/52f73475/attachment-0001.html
More information about the Esapi-dev
mailing list