[Esapi-user] ESAPI book

Jim Manico jim.manico at owasp.org
Tue Mar 8 13:21:57 EST 2011

What an outstanding analysis of the ESAPI Swingset! Thank for you this Chris!


https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de <https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de&authkey=CPPQzqYN> &authkey=CPPQzqYN


When this document is done, would you please consider wikifying this and placing it on the ESAPI wiki?


If you do not wish to do this, do you mind if we do?


Thanks all,



From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch] 
Sent: Monday, March 07, 2011 11:53 PM
To: Jim Manico
Cc: Rudolf Scheurer
Subject: Re: ESAPI book


Dear Jim,

Thank you for your response. It would be fun to complete the tutorial. However, it is possible I'll be working on a demo application in PHP in stead. Not decided yet.

Here's a link to my exploration of swingset, also very much "work in progress", but if it can be of some use, I'll gladly share it with you.

https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de <https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de&authkey=CPPQzqYN> &authkey=CPPQzqYN

Best regards,


on 03/08/2011 07:14 AM Jim Manico wrote : 

Answers inline:

Dear Jim,
I am working my way through the bundled Tomcat+Swingset demo, writing
down my discoveries along the way.
So far I have found various bugs that look like Swingset was not
finished when published. Take for example the page
http://localhost:8080/main?function=ChangePassword <http://localhost:8080/main?function=ChangePassword&insecure> &insecure which, when
submitted, attempts to load the non-existant page
http://localhost:8080/main?function=ChangePasswordInsecure. I see that
this has been changed in the most recent version on Google Code.
Similarly, the XSS page wrongly displays the User Input Validation
Tutorial, whereas the most recent version on Google Code has fixed that
and seems to have a proper XSS tutorial.

This is not you - the swingset is not complete. Its a work in progress.

Other things remain puzzling. E.g. the Login tutorial still shows a
mostly empty page for the insecure demo

This is again, not you...

Before I continue doing work that has surely been done before, would you
have any idea if there is an available list of unfinished parts of
either the published (bundled ZIP) version of Swingset or else of the
most recent source code of Swingset?

There is not that I know of. We really need someone to "own" this piece
of code and keep it up to date. We are desperate for more help on this!

For the moment I'm doing this work merely as part of a global evaluation
of ESAPI Swingset. If I ever did attempt to rebundle the latest version,
I'll need to know what issues remain and which ones I might want to fix
before creating a new bundle.

Do you have time to list those issues out? We really lost track of this
piece of code. It needs some love. :)
Thank you, very much, for this help.
- Jim

Thank you for your help!
Best regards,
p.s. I haven't downloaded and compiled the latest version of Swingset.
Do you happen to know if it is in a stable state? Would it be worth
examining that version in stead of the tomcat+swingset version I'm
currently working with?
on 03/03/2011 08:50 AM Jim Manico wrote :

So far I have the impression that ESAPI for Java was the first and still
is the most active project of all language specific ESAPI versions. Can
you confirm that?

Agreed! You can see this in the google code activity metric.
 Also, can you confirm that ESAPI for Java would be the

best place to start for getting to know ESAPI? I noticed that the
Swingset bundled with Tomcat was from July 2009,
https://code.google.com/p/swingset-demo/downloads/list seems to be from
Nov 2003. Nevertheless, it might be a good place to start also, no? What
is your opinion on this?

The swingset is out of date with the current core. I'm not sure by much.
Would you have time to invest in working on updating the swingset?

If you could give me any indications as to how to go about examining
ESAPI for our academic purposes in Web Application Security, I would be
most grateful.

I would start building a small app that uses ESAPI! We are short on
documentation. The nest way to understand it is to use it!
Ask use more questions along the way...



Christopher Dickinson
Blvd. de Pérolles 93
CH-1700 Fribourg
chris.dickinson at gmx.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110308/0704e1f2/attachment.html 

More information about the Esapi-user mailing list