[GPC] Swingset v05b2 vs. Swingset v1 confusion

Paulo Coimbra paulo.coimbra at owasp.org
Thu Mar 17 12:41:57 EDT 2011


Fabio and all,

 

Please confirm or clarify the following course of action.

 

1.      Renaming of the ESAPI Swingset RC 4 release (which contains the
downloadable file esapi_swingsetv1.0.zip -
http://code.google.com/p/swingset-demo/downloads/list) to Swingset
Interactive. Additionally, appointing you as release co-leader.

2.      Creation of the Swingset Demo release (which contains the
Swingset_with_tomcat_05b2.zip -
http://code.google.com/p/owasp-esapi-java-swingset/downloads/list).
Additionally, appointing Craig Younkins as release leader.

 

Thanks,

- Paulo

 

 

Paulo Coimbra,

 <http://www.owasp.org/index.php/User:Paulo_Coimbra> OWASP Project Manager

 

From: Fabio Cerullo [mailto:fcerullo at gmail.com] 
Sent: quinta-feira, 17 de Março de 2011 10:05
To: Dave Wichers
Cc: Craig Younkins; chris.dickinson at gmx.ch; Chris Schmidt; Jim Manico; Jeff
Williams; cathal.p.courtney at aib.ie; kfealz at gmail.com; Paulo Coimbra
Subject: Re: Swingset v05b2 vs. Swingset v1 confusion

 

Dave et al,

Please allow me to clarify the situation here:

- Swingset v05b2: This version has been developed by Craig and it was
originally intended to show how ESAPI helps you to remediate vulnerabilities
in Swingset. This means, Swingset highlights a particular vulnerability in
one page, and then in another one it shows you how ESAPI fixed the issue.
Therefore, this is only a DEMO application showing the benefits of ESAPI for
Java.

- Swingset v1.0: This version has been developed by Cathal and myself to
fulfill an internal training requirement at AIB. We took the backbone of
Swingset v05b2 and created labs for developers to use making it an
INTERACTIVE application. The goal of this application is to teach developers
about the functionality of the ESAPI library and give users a practical
understanding of how it can be used to protect web applications against
common security vulnerabilities. This customized version of Swingset has
been donated back to OWASP and I presented it at AppSec DC last year as Dave
correctly pointed out.

 

I understand the confusion these two versions could generate and my
suggestion would be to rebrand them as follows:

 

Swingset v05b2 -> Swingset Demo 

Swingset v1.0 ->   Swingset Interactive

 

If everybody is in favour I will ask Paulo Coimbra to proceed with these
changes.

 

Thank you,

 

Fabio Cerullo


On Thu, Mar 17, 2011 at 2:47 AM, Dave Wichers <dave.wichers at owasp.org>
wrote:
>
> Its definitely an OWASP effort, but I think it has effectively forked the
ESAPI for Java Swingset as its very different. I don’t think it necessarily
replaces the old one. Fabio would have to let us know about whether his new
one incorporates most everything in the old one or if it’s a separate (yet
another) example ESAPI demo app.
>
>  
>
> I know his version supported people to do coding labs in some manner which
the first version didn’t explicitly do. Fabio did a presentation on what he
did at AppSec DC 2010. The video of it is here: http://vimeo.com/20168586,
and slides: http://www.owasp.org/images/2/24/Esapi_swingset_talk_dc.ppt.
>
>  
>
> -Dave
>
>  
>
> From: cyounkins at gmail.com [mailto:cyounkins at gmail.com] On Behalf Of Craig
Younkins
> Sent: Wednesday, March 16, 2011 4:54 PM
> To: Dave Wichers
> Cc: fcerullo at gmail.com; chris.dickinson at gmx.ch; Chris Schmidt; Jim Manico;
Jeff Williams; cathal.p.courtney at aib.ie; kfealz at gmail.com
> Subject: Re: Swingset v05b2 vs. Swingset v1 confusion
>
>  
>
> My last work was on the owasp-esapi-java-swingset project.
>
>  
>
> My understanding was that AIB was creating a customized version of the
Swingset, which is the swingset-demo project. I hadn't heard that it was
approved to replace the previous version. The swingset-demo project does not
indicate it is an OWASP project, so linking to it from the OWASP page as if
it is one kinda bothers me. It's unclear to me whether or not it is an OWASP
project.
>
>  
>
> Craig Younkins
>
>  
>
> On Wed, Mar 16, 2011 at 1:20 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:
>
> I think Fabio can best answer this as he is the author of the latest
version of the Swingset app.
>
>  
>
> I believe Craig Younkins was the last person to work on the previous
version.
>
>  
>
> Fabio – once we get this clarified can we update our website to make this
more clear to minimize confusion for other interested parties in the future?
>
>  
>
> Thanks, Dave
>
>  
>
> From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch]
> Sent: Wednesday, March 16, 2011 1:09 PM
> To: Chris Schmidt; Jim Manico; Jeff Williams; craig.younkins at owasp.org;
cathal.p.courtney at aib.ie; fcerullo at gmail.com; kfealz at gmail.com;
planetlevel at gmail.com; singhpawanpreet at gmail.com; dwichers at gmail.com
> Subject: Swingset v05b2 vs. Swingset v1 confusion
> Importance: High
>
>  
>
> Hello,
>
> For those of you who are not interested or not involved, please forgive me
for mailing this to you. Since I don't know yet who is mainly responsible
for Swingset, I'm writing to all of you in the hope that at least one of you
will turn out to be the right person (or tell me who is) !
>
> As some of you already know, I am looking into the current state of ESAPI
Swingset. Today something embarrassing happened. I realized I have most
likely been working on an OLD version of the Swingset, as I discovered a
second one which is quite different in many ways.
>
> On the ESAPI Swingset "Home Page"
(http://www.owasp.org/index.php/ESAPI_Swingset), I read early on in my
investigations that "All downloads are hosted on the Google Code site. You
can find the latest downloads for the project here."
(https://code.google.com/p/owasp-esapi-java-swingset/downloads/list). This
hosts 3 archives (source, WAR and Tomcat bundle, version "05b2")
>
> Only if you click on the tab "Project About" do you see something about a
"current release" pointing ultimately to a whole different Google code
project, this one here:
https://code.google.com/p/swingset-demo/downloads/list containing a Swingset
bundle "version 1" with instructions to import the project into eclipse and
run from there.
>
> I followed the "version 1" instructions today and the tutorial looks quite
different in deed. According to Google's activity rating, this "version 1"
is more active, even though there are only 2 commits.
>
> My questions to all of you, i.e. to any one who can give me an answer:
>
> What is the exact relationship between these two "versions" of Swingset
downloads / releases?
> Who would be authorized to change the OWASP ESAPI Web pages to make this
distinction much clearer to people like myself who want to understand what
Swingset is and how to use it?
> Whom could I contact for future questions about the current state of
Swingset and possible future improvements (cf. my semester project mentioned
in the mails below)?
>
> If any one among you could give me any indication about these issues I
would be most grateful!
>
> Thanks for your time,
>
> Best regards,
>
> Chris Dickinson
>
>
>
> on 03/10/2011 10:15 PM Christopher Dickinson wrote :
>
> Dear Chris, Dear Jim,
>
> A day later than planned, my professor and I decided upon the main
objectives for my semester project. We want to:
>
> create an extensive evaluation of the 2009 Swingset version.
> fix the 2009 Swingset to make sure we understand it's intended
functionality fully.
> build a new bundled Swingset version based upon the newest version of the
code in the SVN trunk and the insights into the 2009 version.
> possibly take a quick look at the state of ESAPi in general and ESAPi for
PHP in specific.
> (personally, I would like to see am easy-to-install, platform-independent
version of Swingset.)
>
> My professor hopes to be able to use Swingset as didactical material for
his classes in the future. Other projects, such as the PHP demo application
we had envisioned for my own semester project, will have to be done at later
time.
>
> I have created a slightly more detailed scope statement which you will
find attached. I'm sharing it with you since a new version of the Swingset
could be interesting for the ESAPI project as a whole and also because I
would appreciate your input on how you would suggest approaching the task,
how not to redo work that has already been done, and how to do it as
efficiently as possible. Most of all, if you know of anyone I could possibly
ask for tips along the way (e.g. the person who originally designed the
Swingset?), that would be very useful to me!
>
> Thanks again for your help so far.
>
> Best regards,
>
> Chris
>
> p.s. @Chris: no, I haven't committed anything yet. Neither to the PHP
project nor to any other ESAPI project. I'll certainly get in touch if I
think I have something to contribute towards the ESAPI documentation during
my work on Swingset.
>
> on 03/08/2011 08:48 PM Chris Schmidt wrote :
>
> There are no steps right now – tell me you want to do it and it’s all you.
>
> Have you been commiting to the php project recently? It is leaderless
right now and I am about to put out a call to the php devs for a new leader
to step up. Watch your inbox if you’re interested. :)
>
> A note on the documentation. Our hope is to be able to pull enough good
documentation together to publish an ESAPI book soon. So any contributers
will be published authors.
>
>
> On 3/8/11 2:42 PM, "Christopher Dickinson" <chris.dickinson at gmx.ch> wrote:
>
>   Thanks :-). I'm doing this work as part of a semester project and will
know more about the requirements tomorrow. I might possibly be working with
ESAPI for PHP.
>  
>  In general, what are the required steps to be able to participate in the
documentation? In Java, in PHP? I may very well be motivated to document
whatever I find missing during my work on whatever it is my prof puts me on.
>  
>  Best regards,
>  
>  Chris
>
>  on 03/08/2011 08:32 PM Chris Schmidt wrote :
>
>  Re: [Esapi-user] ESAPI book Absolutely – if you are interested in talking
about doing some formal ESAPI for Java documentation, let me know. You seem
to have a clear writing style and communicate well and we desperately need
some people to take on documentation. :)
>  
>  
>  On 3/8/11 2:29 PM, "Christopher Dickinson" <chris.dickinson at gmx.ch>
wrote:
>  
>   
>
>   Dear Chris,
>   
>   As I already answered privately to Jim, I'm very happy to hear that my
analysis might be of some use to ESAPI folks. Thanks for your feed-back.
>   
>   Best regards,
>   
>   another Chris
>  
>   on 03/08/2011 08:25 PM Chris Schmidt wrote :
>   
>
>  Re: [Esapi-user] ESAPI book This is a very solid analysis – thank you so
much Chris! Now, who’s gonna start bringin it up to snuff? :)
>   
>   
>   On 3/8/11 1:21 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>   
>    
>   
>
> What an outstanding analysis of the ESAPI Swingset! Thank for you this
Chris!
>    
>
https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxO
M7M/edit?hl=de
<https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rx
OM7M/edit?hl=de&authkey=CPPQzqYN> &authkey=CPPQzqYN
>   
>   When this document is done, would you please consider wikifying this and
placing it on the ESAPI wiki?
>    
>   If you do not wish to do this, do you mind if we do?
>    
>   Thanks all,
>   Jim
>    
>   
>   From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch]
>   Sent: Monday, March 07, 2011 11:53 PM
>   To: Jim Manico
>   Cc: Rudolf Scheurer
>   Subject: Re: ESAPI book
>   
>   Dear Jim,
>   
>   Thank you for your response. It would be fun to complete the tutorial.
However, it is possible I'll be working on a demo application in PHP in
stead. Not decided yet.
>   
>   Here's a link to my exploration of swingset, also very much "work in
progress", but if it can be of some use, I'll gladly share it with you.
>   
>
https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxO
M7M/edit?hl=de
<https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rx
OM7M/edit?hl=de&authkey=CPPQzqYN> &authkey=CPPQzqYN
>   
>   Best regards,
>   
>   Chris
>   
>   on 03/08/2011 07:14 AM Jim Manico wrote :
>   Chris,
>    
>   Answers inline:
>    
>    
>   
>
> Dear Jim,
>    
>   I am working my way through the bundled Tomcat+Swingset demo, writing
>   down my discoveries along the way.
>    
>   So far I have found various bugs that look like Swingset was not
>   finished when published. Take for example the page
>   http://localhost:8080/main?function=ChangePassword
<http://localhost:8080/main?function=ChangePassword&insecure> &insecure
which, when
>   submitted, attempts to load the non-existant page
>   http://localhost:8080/main?function=ChangePasswordInsecure. I see that
>   this has been changed in the most recent version on Google Code.
>   Similarly, the XSS page wrongly displays the User Input Validation
>   Tutorial, whereas the most recent version on Google Code has fixed that
>   and seems to have a proper XSS tutorial.
>   
>  
>
>   
>   This is not you - the swingset is not complete. Its a work in progress.
>    
>    
>    
>   
>
> Other things remain puzzling. E.g. the Login tutorial still shows a
>   mostly empty page for the insecure demo
>
(https://code.google.com/p/owasp-esapi-java-swingset/source/browse/trunk/web
app/src/main/webapp/WEB-INF/jsp/LoginInsecure.jsp).
>   
>  
>
>   
>   This is again, not you...
>    
>    
>   
>
>   Before I continue doing work that has surely been done before, would you
>   have any idea if there is an available list of unfinished parts of
>   either the published (bundled ZIP) version of Swingset or else of the
>   most recent source code of Swingset?
>   
>  
>
>   
>   There is not that I know of. We really need someone to "own" this piece
>   of code and keep it up to date. We are desperate for more help on this!
>    
>    
>    
>   
>
> For the moment I'm doing this work merely as part of a global evaluation
>   of ESAPI Swingset. If I ever did attempt to rebundle the latest version,
>   I'll need to know what issues remain and which ones I might want to fix
>   before creating a new bundle.
>   
>  
>
>   
>   Do you have time to list those issues out? We really lost track of this
>   piece of code. It needs some love. :)
>    
>   Thank you, very much, for this help.
>    
>   - Jim
>    
>    
>    
>    
>   
>
>   Thank you for your help!
>    
>   Best regards,
>    
>   Chris
>    
>   p.s. I haven't downloaded and compiled the latest version of Swingset.
>   Do you happen to know if it is in a stable state? Would it be worth
>   examining that version in stead of the tomcat+swingset version I'm
>   currently working with?
>    
>   on 03/03/2011 08:50 AM Jim Manico wrote :
>    
>   
>
>   
>
> So far I have the impression that ESAPI for Java was the first and still
>   is the most active project of all language specific ESAPI versions. Can
>   you confirm that?
>   
>  
>
>  Agreed! You can see this in the google code activity metric.
>    
>    
>    Also, can you confirm that ESAPI for Java would be the
>    
>   
>
> best place to start for getting to know ESAPI? I noticed that the
>   
>  
>
>  
>  
>
>  
>  
>
>  
>  
>
>  
>  
>
>  
>   
>  
>
>  
>
>  
>
>  
>
> -- 
>
>  
>
> Christopher Dickinson
>
> Blvd. de Pérolles 93
>
> CH-1700 Fribourg
>
>  
>
> chris.dickinson at gmx.ch
>
> +41'76'468'01'02
>
>  
>
> -- 
>
>  
>
> Christopher Dickinson
>
> Blvd. de Pérolles 93
>
> CH-1700 Fribourg
>
>  
>
> chris.dickinson at gmx.ch
>
> +41'76'468'01'02
>
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110317/3d3a675e/attachment-0001.html 


More information about the Global-projects-committee mailing list