[Esapi-user] [Esapi-dev] Response Splitting

Chris Schmidt chrisisbeef at gmail.com
Tue Jan 25 22:51:07 EST 2011


Esapifilter must die.. I have never used it because I want more control over my requests :) 

That being said, I wrote an awesome securityfilter using dependency injection lately :)

Sent from my iPwn

On Jan 25, 2011, at 8:30 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:

> On 01/25/2011 09:57 PM, Jeff Williams wrote:
> [SNIP]
>> Ahh wait – you’re talking about specifically using
>> ESAPIFilter/SafeRequest/SafeResponse, aren’t you?  I’m suggesting
>> the use of targeted wrappers to prevent header injection.  I do believe
>> that the ESAPIFilter has caused issues since it does everything.  But I
>> see no problem with the idea of ResponseWrappers in general.
> 
> I think a JavaEE Servlet Filter is exactly what Jim was referring to. I think
> using targeted wrappers is a better approach and I would expect it to have
> minimal performance impact. OTOH, we could do much better on optimizing
> ESAPIFilter.
> 
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list