[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jeff Williams jeff.williams at aspectsecurity.com
Wed Jul 27 23:32:08 EDT 2011


Codecs aren't a last resort for canonicalization and input validation,
which is required for attack detection like what is done in AppSensor.
More fundamentally, I think these codecs are exactly the type of
fundamental building blocks that are required before we (as an industry)
can move past injection and get to harder problems.  I say we just build
these out, get them right, and move on.

 

As far as I know, there's nothing that prevents a codec from supporting
a changeable escape syntax.  We sort of support that with the two modes
in the MySQLCodec.

 

--Jeff

 

 

From: Jim Manico [mailto:jim.manico at owasp.org] 
Sent: Wednesday, July 27, 2011 6:35 PM
To: Jeff Williams
Cc: Rama Krishna Pathangi; ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12

 

Jeff,

 

I agree these encoders belong in ESAPI but only as a last resort.

 

Case and point: You can change Oracles escape character dynamically and
the JDBC driver would pick that up, but a hard coded escape function
would not, leaving you injectable.

 

But still Jeff, as a last resort or as a stopgap measure, I agree.


- Jim Manico


On Jul 27, 2011, at 5:27 PM, "Jeff Williams"
<jeff.williams at aspectsecurity.com> wrote:

	Perhaps he is interested in canonicalization?  There are plenty
of good reasons to have a SQLServer codec in ESAPI.

	 

	There were some discussions around this a while back, and maybe
even an implementation.  Would you be interested in helping put this
together? 
	
	--Jeff

	 

	 

	
	On Jul 27, 2011, at 5:22 PM, "Jim Manico" <jim.manico at owasp.org>
wrote:

		Rama,

		 

		This is a deeply fragile way to stop XSS. Can you just
use parameterized queries with data binding? We heavily recommend this
as the best way to stop SQL injection.
		
		- Jim Manico

		
		On Jul 27, 2011, at 12:48 PM, Rama Krishna Pathangi
<rpathangi at hotmail.com> wrote:

			Hello,
			 
			We are currently using ESAPI 2.0 GA.
			In line with the following, I was wondering if
we can have a codec for SQLServer in your future release.
			SAPI.encoder().encodeForSQL( new OracleCodec(),
dirtyString );
			SAPI.encoder().encodeForSQL( new DB2Codec(),
dirtyString );
			
			--
			Rama Krishna Rao Pathangi
			[c] 1 503 962 9480
			[f]  1 801 409 7951
			
			 

			> From: esapi-user-request at lists.owasp.org
			> Subject: Esapi-user Digest, Vol 20, Issue 12
			> To: esapi-user at lists.owasp.org
			> Date: Wed, 27 Jul 2011 12:00:05 -0400
			> 
			> Send Esapi-user mailing list submissions to
			> esapi-user at lists.owasp.org
			> 
			> To subscribe or unsubscribe via the World Wide
Web, visit
			>
https://lists.owasp.org/mailman/listinfo/esapi-user
			> or, via email, send a message with subject or
body 'help' to
			> esapi-user-request at lists.owasp.org
			> 
			> You can reach the person managing the list at
			> esapi-user-owner at lists.owasp.org
			> 
			> When replying, please edit your Subject line
so it is more specific
			> than "Re: Contents of Esapi-user digest..."
			> 
			> 
			> Today's Topics:
			> 
			> 1. Re: [Esapi-dev] ESAPI 2.0.1 Released (Dave
Wolf)
			> 2. Fwd: .NET and Java WAF (Christian Heinrich)
			> 3. Re: .NET and Java WAF (Jim Manico)
			> 4. Re: [Esapi-dev] .NET and Java WAF (Kevin W.
Wall)
			> 5. Re: [GPC] Fwd: .NET and Java WAF (Jason Li)
			> 6. using SafeRequest (Normando Macaraeg)
			> 7. Re: using SafeRequest (Kevin W. Wall)
			> 8. Re: [Esapi-dev] .NET and Java WAF
(Christian Heinrich)
			> 
			> 
			>
----------------------------------------------------------------------
			> 
			> Message: 1
			> Date: Tue, 26 Jul 2011 17:14:12 +0000
			> From: Dave Wolf <dave.wolf at gmail.com>
			> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI
2.0.1 Released
			> To: ESAPI Dev List
<esapi-dev at lists.owasp.org>,
			> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
			> Message-ID:
			>
<CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
			> Content-Type: text/plain; charset="utf-8"
			> 
			> Hi,
			> 
			> FYI, I'm not finding 2.0.1 on Maven Central.
The most current release that
			> shows up is 2.0GA. I'm searching using:
			> g:"org.owasp.esapi" AND a:"esapi" AND
v:"2.0.1"
			> 
			> Any ideas what is going on?
			> 
			> Thanks,
			> 
			> Dave Wolf
			> 
			> Date: Mon, 25 Jul 2011 08:01:35 -0400
			> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
			> Subject: Re: [Esapi-dev] ESAPI 2.0.1 Released
			> To: Chris Schmidt <chris.schmidt at owasp.org>
			> Cc: ESAPI Devs <esapi-dev at lists.owasp.org>,
			> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
			> Message-ID:
			>
<CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> On Mon, Jul 25, 2011 at 4:44 AM, Chris Schmidt
<chris.schmidt at owasp.org>
			> wrote:
			> > Due to popular demand ESAPI 2.0.1 has been
released with some minor (but
			> > important) bug fixes. The changelist is
below.
			> > [snip]
			> > Change log from 2.0.GA <http://2.0.ga/> to
2.0.1
			> >
			> > 2011-07-25 00:01:38 chrisisbeef
/trunk/pom.xml v 1858
			> >
			> > Removed version from project name... Fixes
Issue #235
			> > 2011-07-24 23:56:06 chrisisbeef
			> > /trunk/configuration/esapi/
			> ESAPI.properties v 1857
			> >
/trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
			> >
			> > Resolves issue #46 - allow context path to
have leading slash or be empty
			> > 2011-07-23 14:36:17 chrisisbeef
			> >
			>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfigurat
ion.java
			> > v 1856
			> >
			> > Get rid of really irritating stacktrace
everytime esapi loads.
			> >
			> > fixes issue #220
			> > 2011-07-23 14:25:45 chrisisbeef
			> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
			> 1855
			> >
			> > Resolve issue 232 Validation Type Error
			> > 2011-07-23 14:17:34 chrisisbeef
			> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
			> >
			> > Fix issue 231 inverted logic error with
canonicalization.
			> 
			> Chris,
			> 
			> Well, let me be amongst the first to
publically congratulate you for pushing
			> out these fixes, and especially issue #46,
which I pretty much dropped the
			> ball on.
			> 
			> Thanks for your hard work. The whole ESAPI
community owes you a beer!
			> Great job.
			> 
			> -kevin
			> --
			> Blog:
http://off-the-wall-security.blogspot.com/
			> "The most likely way for the world to be
destroyed, most experts agree,
			> is by accident. That's where we come in; we're
computer professionals.
			> We *cause* accidents." -- Nathaniel Borenstein
			> 
			> Dave Wolf
			> 
			> "There is no passion to be found playing small
- in settling for a life that
			> is less than the one you are capable of
living." --Nelson Mandela
			> -------------- next part --------------
			> An HTML attachment was scrubbed...
			> URL:
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b
61/attachment-0001.html 
			> 
			> ------------------------------
			> 
			> Message: 2
			> Date: Wed, 27 Jul 2011 10:23:39 +1000
			> From: Christian Heinrich
<christian.heinrich at owasp.org>
			> Subject: [Esapi-user] Fwd: .NET and Java WAF
			> To: Global Projects Committee
			> <global-projects-committee at lists.owasp.org>
			> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
			> <Esapi-user at lists.owasp.org>
			> Message-ID:
			>
<CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> GPC,
			> 
			> Please consider this notice that "we" intend
to escalate for
			> recognition as an OWASP Project by the GPC
shortly after BlackHat and
			> DefCon.
			> 
			> Hence I have CC ESAPI Mailing List for
discussion in the interim until
			> the @owasp.org Mailing Lists are created.
			> 
			> Juan, Ryan, Jason and Jason have been BCC.
			> 
			> ---------- Forwarded message ----------
			> From: Christian Heinrich
<christian.heinrich at owasp.org>
			> Date: Tue, Jul 26, 2011 at 8:33 AM
			> Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
			> To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
			> Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
			> 
			> 
			> Juan,
			> 
			> On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> consultant) <juan.calderon at ge.com> wrote:
			> > What do you mean closing this off? Having it
ready or defining is an
			> > OWASP project?
			> 
			> I was referring too having it listed as an
OWASP Project, such as an
			> associated mailing list, etc.
			> 
			> On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> consultant) <juan.calderon at ge.com> wrote:
			> > Just as a small update, Aldo Salas a
certified Java developer is helping
			> > me out to finish this project, we have a
progress meeting this Thursday,
			> > also I sent a paper proposal to OWASP LATAM
to present a course on
			> > Mod_security for Java this October (that is
it should be well tested and
			> > finished by then) :)
			> 
			> I can note this milestone in the Project Plan
- I will list it for
			> November to account for the unlikely event
that the deadline slips or
			> to demonstrate that we ship it earlier then
expected :)
			> 
			> 
			> -- 
			> Regards,
			> Christian Heinrich
			> http://www.owasp.org/index.php/user:cmlh
			> 
			> 
			> ------------------------------
			> 
			> Message: 3
			> Date: Tue, 26 Jul 2011 19:25:14 -0500
			> From: Jim Manico <jim.manico at owasp.org>
			> Subject: Re: [Esapi-user] .NET and Java WAF
			> To: Christian Heinrich
<christian.heinrich at owasp.org>
			> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
			> <Esapi-user at lists.owasp.org>, Global Projects
Committee
			> <global-projects-committee at lists.owasp.org>
			> Message-ID:
<-2981349937657456396 at unknownmsgid>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> I totally support splitting the ESAPI WAF into
a brand new project. Go
			> for it - and great work!
			> 
			> - Jim Manico
			> 
			> On Jul 26, 2011, at 7:23 PM, Christian
Heinrich
			> <christian.heinrich at owasp.org> wrote:
			> 
			> > GPC,
			> >
			> > Please consider this notice that "we" intend
to escalate for
			> > recognition as an OWASP Project by the GPC
shortly after BlackHat and
			> > DefCon.
			> >
			> > Hence I have CC ESAPI Mailing List for
discussion in the interim until
			> > the @owasp.org Mailing Lists are created.
			> >
			> > Juan, Ryan, Jason and Jason have been BCC.
			> >
			> > ---------- Forwarded message ----------
			> > From: Christian Heinrich
<christian.heinrich at owasp.org>
			> > Date: Tue, Jul 26, 2011 at 8:33 AM
			> > Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
			> > To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
			> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
			> >
			> >
			> > Juan,
			> >
			> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> > consultant) <juan.calderon at ge.com> wrote:
			> >> What do you mean closing this off? Having
it ready or defining is an
			> >> OWASP project?
			> >
			> > I was referring too having it listed as an
OWASP Project, such as an
			> > associated mailing list, etc.
			> >
			> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> > consultant) <juan.calderon at ge.com> wrote:
			> >> Just as a small update, Aldo Salas a
certified Java developer is helping
			> >> me out to finish this project, we have a
progress meeting this Thursday,
			> >> also I sent a paper proposal to OWASP LATAM
to present a course on
			> >> Mod_security for Java this October (that is
it should be well tested and
			> >> finished by then) :)
			> >
			> > I can note this milestone in the Project
Plan - I will list it for
			> > November to account for the unlikely event
that the deadline slips or
			> > to demonstrate that we ship it earlier then
expected :)
			> >
			> >
			> > --
			> > Regards,
			> > Christian Heinrich
			> > http://www.owasp.org/index.php/user:cmlh
			> 
			> 
			> ------------------------------
			> 
			> Message: 4
			> Date: Tue, 26 Jul 2011 21:39:10 -0400
			> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
			> Subject: Re: [Esapi-user] [Esapi-dev] .NET and
Java WAF
			> To: Jim Manico <jim.manico at owasp.org>
			> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
			> <Esapi-user at lists.owasp.org>, Global Projects
Committee
			> <global-projects-committee at lists.owasp.org>
			> Message-ID:
			>
<CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> On Tue, Jul 26, 2011 at 8:25 PM, Jim Manico
<jim.manico at owasp.org> wrote:
			> > I totally support splitting the ESAPI WAF
into a brand new project. Go
			> > for it - and great work!
			> 
			> Christian,
			> 
			> I concur. However, please do keep us in the
loop, especially if you make
			> any changes that would affect out it is used
in ESAPI. I think that we would
			> like to keep it as an option there and also be
able to drop in your latest
			> version.
			> 
			> Thanks,
			> -kevin
			> -- 
			> Blog:
http://off-the-wall-security.blogspot.com/
			> "The most likely way for the world to be
destroyed, most experts agree,
			> is by accident. That's where we come in; we're
computer professionals.
			> We *cause* accidents." ? ? ? ?-- Nathaniel
Borenstein
			> 
			> 
			> ------------------------------
			> 
			> Message: 5
			> Date: Tue, 26 Jul 2011 21:51:42 -0400
			> From: Jason Li <jason.li at owasp.org>
			> Subject: Re: [Esapi-user] [GPC] Fwd: .NET and
Java WAF
			> To: Christian Heinrich
<christian.heinrich at owasp.org>
			> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
			> <Esapi-user at lists.owasp.org>, Global Projects
Committee
			> <global-projects-committee at lists.owasp.org>
			> Message-ID:
			>
<CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> Christian,
			> 
			> There's no need to "escalate" for recognition.
			> 
			> Any idea can always be submitted to the GPC
and they will be processed
			> by Paulo Coimbra like all other requests.
			> 
			> I would encourage the group to read the wiki
article on starting an
			> OWASP project
(https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
			> and ensure that the group submits the
necessary information.
			> 
			> -Jason
			> 
			> On Tue, Jul 26, 2011 at 8:23 PM, Christian
Heinrich
			> <christian.heinrich at owasp.org> wrote:
			> > GPC,
			> >
			> > Please consider this notice that "we" intend
to escalate for
			> > recognition as an OWASP Project by the GPC
shortly after BlackHat and
			> > DefCon.
			> >
			> > Hence I have CC ESAPI Mailing List for
discussion in the interim until
			> > the @owasp.org Mailing Lists are created.
			> >
			> > Juan, Ryan, Jason and Jason have been BCC.
			> >
			> > ---------- Forwarded message ----------
			> > From: Christian Heinrich
<christian.heinrich at owasp.org>
			> > Date: Tue, Jul 26, 2011 at 8:33 AM
			> > Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
			> > To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
			> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
			> >
			> >
			> > Juan,
			> >
			> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> > consultant) <juan.calderon at ge.com> wrote:
			> >> What do you mean closing this off? Having
it ready or defining is an
			> >> OWASP project?
			> >
			> > I was referring too having it listed as an
OWASP Project, such as an
			> > associated mailing list, etc.
			> >
			> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
			> > consultant) <juan.calderon at ge.com> wrote:
			> >> Just as a small update, Aldo Salas a
certified Java developer is helping
			> >> me out to finish this project, we have a
progress meeting this Thursday,
			> >> also I sent a paper proposal to OWASP LATAM
to present a course on
			> >> Mod_security for Java this October (that is
it should be well tested and
			> >> finished by then) :)
			> >
			> > I can note this milestone in the Project
Plan - I will list it for
			> > November to account for the unlikely event
that the deadline slips or
			> > to demonstrate that we ship it earlier then
expected :)
			> >
			> >
			> > --
			> > Regards,
			> > Christian Heinrich
			> > http://www.owasp.org/index.php/user:cmlh
			> >
_______________________________________________
			> > Global-projects-committee mailing list
			> > Global-projects-committee at lists.owasp.org
			> >
https://lists.owasp.org/mailman/listinfo/global-projects-committee
			> >
			> 
			> 
			> ------------------------------
			> 
			> Message: 6
			> Date: Tue, 26 Jul 2011 19:48:57 -0700 (PDT)
			> From: "Normando Macaraeg"
<nmacaraeg at jaspersoft.com>
			> Subject: [Esapi-user] using SafeRequest
			> To: <esapi-user at lists.owasp.org>
			> Message-ID:
<[email protected]>
			> Content-Type: text/plain; charset="us-ascii"
			> 
			> Hi,
			> 
			> Using the ESAPI Book as my guide, it looks
like when I find code that
			> looks like: 
			> 
			> HttpSession session = request.getSession(); //
unsafe session
			> 
			> I should change the code to this:
			> 
			> HttpSession session = new SafeRequest( request
).getSession(); // safe
			> session
			> 
			> But the book says this works only if I enable
the ESAPIFilter. How do I
			> enable the ESAPIFilter?
			> 
			> -Norm
			> 
			> 
			> ------------------------------
			> 
			> Message: 7
			> Date: Tue, 26 Jul 2011 23:32:01 -0400
			> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
			> Subject: Re: [Esapi-user] using SafeRequest
			> To: Normando Macaraeg
<nmacaraeg at jaspersoft.com>
			> Cc: esapi-user at lists.owasp.org
			> Message-ID:
			>
<CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> On Tue, Jul 26, 2011 at 10:48 PM, Normando
Macaraeg
			> <nmacaraeg at jaspersoft.com> wrote:
			> > Hi,
			> >
			> > Using the ESAPI Book as my guide, it looks
like when I find code that
			> > looks like:
			> >
			> > HttpSession session = request.getSession();
// unsafe session
			> >
			> > I should change the code to this:
			> >
			> > HttpSession session = new SafeRequest(
request ).getSession(); // safe
			> > session
			> >
			> > But the book says this works only if I
enable the ESAPIFilter. How do I
			> > enable the ESAPIFilter?
			> 
			> You configure it just like any other Java
Servlet filter.
			> In your WEB-INF/web.xml file, you would do
something like
			> this:
			> 
			> <web-app id="myWebApp">
			> ...
			> <filter>
			> <filter-name>ESAPI-Filter</filter-name>
			>
<filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
			> <!-- Note: Not sure it has any parameters.
Check the
			> sourc code or ask Jeff Williams. I don't have
time
			> right now. However, this is how you specify
			> parameters. You can have more than one
init-param
			> section. -->
			> <init-param>
			> <param-name>greetings</param-name>
			> <param-value>Hello, World</param-value>
			> </init-param>
			> </filter>
			> 
			> <filter-mapping>
			> <filter-name>ESAPI-Filter</filter-name>
			> <url-pattern>/images/*</url-pattern>
			> </filter-mapping>
			> </filter>
			> ...
			> </web-app>
			> 
			> The exact syntax may be slightly different
depending on what
			> Servlet Spec your JavaEE / servlet container
adheres to. Shown
			> above is for Servlet Spec 2.4.
			> 
			> -kevin
			> --
			> Blog:
http://off-the-wall-security.blogspot.com/
			> "The most likely way for the world to be
destroyed, most experts agree,
			> is by accident. That's where we come in; we're
computer professionals.
			> We *cause* accidents." -- Nathaniel Borenstein
			> 
			> 
			> ------------------------------
			> 
			> Message: 8
			> Date: Wed, 27 Jul 2011 16:54:00 +1000
			> From: Christian Heinrich
<christian.heinrich at owasp.org>
			> Subject: Re: [Esapi-user] [Esapi-dev] .NET and
Java WAF
			> To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
			> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
			> <Esapi-user at lists.owasp.org>
			> Message-ID:
			>
<CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
			> Content-Type: text/plain; charset=ISO-8859-1
			> 
			> Kevin,
			> 
			> I have dropped the GPC for the moment from
this discussion.
			> 
			> On Wed, Jul 27, 2011 at 11:39 AM, Kevin W.
Wall <kevin.w.wall at gmail.com> wrote:
			> > I concur. However, please do keep us in the
loop, especially if you make
			> > any changes that would affect out it is used
in ESAPI. I think that we would
			> > like to keep it as an option there and also
be able to drop in your latest
			> > version.
			> 
			> I can create a dependency in the Project Plan
for this and a SVN tag
			> for the attention of EASPI Java.
			> 
			> For your reference, Juan's import from ESAPI
Java was
			>
http://code.google.com/p/owasp-java-waf/source/detail?r=2
			> 
			> 
			> -- 
			> Regards,
			> Christian Heinrich
			> http://www.owasp.org/index.php/user:cmlh
			> 
			> 
			> ------------------------------
			> 
			>
_______________________________________________
			> Esapi-user mailing list
			> Esapi-user at lists.owasp.org
			>
https://lists.owasp.org/mailman/listinfo/esapi-user
			> 
			> 
			> End of Esapi-user Digest, Vol 20, Issue 12
			> ******************************************

			_______________________________________________
			Esapi-user mailing list
			Esapi-user at lists.owasp.org
	
https://lists.owasp.org/mailman/listinfo/esapi-user

		_______________________________________________
		Esapi-user mailing list
		Esapi-user at lists.owasp.org
		https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110727/9d09337a/attachment-0001.html 


More information about the Esapi-user mailing list