[Esapi-user] ESAPI book

Chris Schmidt chrisisbeef at gmail.com
Tue Mar 8 14:25:14 EST 2011


This is a very solid analysis ­ thank you so much Chris! Now, who¹s gonna
start bringin it up to snuff? :)


On 3/8/11 1:21 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

> What an outstanding analysis of the ESAPI Swingset! Thank for you this Chris!
>  
> https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7
> M/edit?hl=de&authkey=CPPQzqYN
>  
> When this document is done, would you please consider wikifying this and
> placing it on the ESAPI wiki?
>  
> If you do not wish to do this, do you mind if we do?
>  
> Thanks all,
> Jim
>  
> 
> From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch]
> Sent: Monday, March 07, 2011 11:53 PM
> To: Jim Manico
> Cc: Rudolf Scheurer
> Subject: Re: ESAPI book
>  
> Dear Jim,
> 
> Thank you for your response. It would be fun to complete the tutorial.
> However, it is possible I'll be working on a demo application in PHP in stead.
> Not decided yet.
> 
> Here's a link to my exploration of swingset, also very much "work in
> progress", but if it can be of some use, I'll gladly share it with you.
> 
> https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7
> M/edit?hl=de&authkey=CPPQzqYN
> 
> Best regards,
> 
> Chris
> 
> on 03/08/2011 07:14 AM Jim Manico wrote :
> Chris,
>  
> Answers inline:
>  
>> Dear Jim,
>>  
>> I am working my way through the bundled Tomcat+Swingset demo, writing
>> down my discoveries along the way.
>>  
>> So far I have found various bugs that look like Swingset was not
>> finished when published. Take for example the page
>> http://localhost:8080/main?function=ChangePassword&insecure which, when
>> submitted, attempts to load the non-existant page
>> http://localhost:8080/main?function=ChangePasswordInsecure. I see that
>> this has been changed in the most recent version on Google Code.
>> Similarly, the XSS page wrongly displays the User Input Validation
>> Tutorial, whereas the most recent version on Google Code has fixed that
>> and seems to have a proper XSS tutorial.
>  
> This is not you - the swingset is not complete. Its a work in progress.
>  
>  
>> Other things remain puzzling. E.g. the Login tutorial still shows a
>> mostly empty page for the insecure demo
>> (https://code.google.com/p/owasp-esapi-java-swingset/source/browse/trunk/weba
>> pp/src/main/webapp/WEB-INF/jsp/LoginInsecure.jsp).
>  
> This is again, not you...
>  
>>  
>> Before I continue doing work that has surely been done before, would you
>> have any idea if there is an available list of unfinished parts of
>> either the published (bundled ZIP) version of Swingset or else of the
>> most recent source code of Swingset?
>  
> There is not that I know of. We really need someone to "own" this piece
> of code and keep it up to date. We are desperate for more help on this!
>  
>  
>> For the moment I'm doing this work merely as part of a global evaluation
>> of ESAPI Swingset. If I ever did attempt to rebundle the latest version,
>> I'll need to know what issues remain and which ones I might want to fix
>> before creating a new bundle.
>  
> Do you have time to list those issues out? We really lost track of this
> piece of code. It needs some love. :)
>  
> Thank you, very much, for this help.
>  
> - Jim
>  
>  
>  
>>  
>> Thank you for your help!
>>  
>> Best regards,
>>  
>> Chris
>>  
>> p.s. I haven't downloaded and compiled the latest version of Swingset.
>> Do you happen to know if it is in a stable state? Would it be worth
>> examining that version in stead of the tomcat+swingset version I'm
>> currently working with?
>>  
>> on 03/03/2011 08:50 AM Jim Manico wrote :
>>>> So far I have the impression that ESAPI for Java was the first and still
>>>> is the most active project of all language specific ESAPI versions. Can
>>>> you confirm that?
>>> Agreed! You can see this in the google code activity metric.
>>>  
>>>  
>>>  Also, can you confirm that ESAPI for Java would be the
>>>> best place to start for getting to know ESAPI? I noticed that the

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110308/d2a02482/attachment.html 


More information about the Esapi-user mailing list