[Owasp-classic-asp-security-project] I COULD finish

Tue Mar 17 02:57:43 EDT 2009

Hello I did my best effort and I think I got it

ESAPI Classic ASP is fully funcional and tested (as much as implementable and as much test as I could). All the classes are instantiable and working, there is still a few methods that cannot be called as they are very very .NET specific, but there are replacement for them using other methods in the same class. Also Authenticator class is not implemented (yet instantiable) as most of the funcions are related to .NET Request object which is never created with called from Classic ASP pages. That is why I consider this is a complete version we can release to the public.

Esteban and Andres please review the implementation and provide your feedback, I am sorry the ASP page is a little bit messy, but this time I was more focused on functionality than presentation.

The installation steps are as follow:
1. You need visual studio 2005 or above and .NET framework 2.0 or above to compile the .NET DLL project in the Zip File
2. Provide the passsword in a text file under the project folder when required
3. Save the app.config file as w3wp.exe.config under C:\Windows\System32\inetsrv folder  (for vista) or under your IIS working process depending on your OS
4. Setup an IIS application and deploy the Default.asp page attached
5. Go to the default.asp page using your browser.

There you go you should be able to see all the magic happening by making a classic ASP call all the objects and dozens of methods of ESAPI

I am glad this finally happen, I will be pushing for it to be implemented and to get feedback on it. Also I will upload it to google code as soon as I got confirmation that everything is fine.

Regards.
Juan Carlos

----- Original Message ----
From: Juan C Calderon <johnccr at yahoo.com>
To: Classic ASP Security OWASP <OWASP-Classic-ASP-Security-Project at lists.owasp.org>
Cc: Jeff Williams <jeff.williams at aspectsecurity.com>; Paulo Coimbra <paulo.coimbra at owasp.org>
Sent: Monday, March 16, 2009 2:02:59 AM
Subject: [Owasp-classic-asp-security-project] I could not finish

Hello List/Paulo

Due to a sticky and annoying error related to .NET/COM interoperability and IIS I slipped and was not able to finish as planned. However the progress so far is very good

Here is the current status (notice I am also attaching the source code and  Classic ASP page implementing most of the classess in ESAPI).

AccessController - 100%
AcessReferenceMap - 0% (Not working)
Authenticator - 50% (some parameters are very .NET specific and are hard to marshall)
Encoder - 100%
EncryptedProperties - 100%
Encryptor - 100%
Executor - 50% (some parameters are very .NET specific and are hard to marshall)
HttpUtilities - 30% (This class is specially difficult due to its tight integration with .NET specific HTTPRequest objects)
IntrusionDetector - 100%
Logger - 50% (Some functions missing due to integration with native .NET objects)
Randomizer - 100%
SafeFile - 0%
SecurityConfiguration - 100%
Validator 65%

AccessReferenceMap, Executor and SafeFile are small components and I think I can have them running by tomorrow night. But we will still miss parts of Authenticator, HTTPUtilities and Validator.

Anyway, it was great advance since Portugal as there 3 classes were working partially and the others wer not working at all. Now All are working but 3 will be working partially :)

PS. I am also copying Jeff as I think he might be interested in the advance of the project.

Regards,
Juan Carlos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Owasp.Esapi.zip
Type: application/x-zip-compressed
Size: 1192094 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-classic-asp-security-project/attachments/20090316/46ce4bb8/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Default.asp
Type: application/octet-stream
Size: 13377 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-classic-asp-security-project/attachments/20090316/46ce4bb8/attachment-0001.obj 