[GPC] Swingset v05b2 vs. Swingset v1 confusion

Craig Younkins craig.younkins at owasp.org
Fri Mar 18 15:48:15 EDT 2011


I should not be appointed a release leader as my involvement in OWASP has
been severely limited lately.

Craig Younkins

On Fri, Mar 18, 2011 at 11:37 AM, Fabio Cerullo <fcerullo at gmail.com> wrote:

> Hi Paulo,
>
> That is correct... unless someone raises their hand please go ahead with
> the changes.
>
> I will then update the google code repository for Swingset Interactive to
> point to a more meaningful url location other than
> http://code.google.com/p/swingset-demo/downloads/list to avoid further
> confusion with Swingset Demo.
>
> Thanks,
>
> Fabio
>
>
> On Thu, Mar 17, 2011 at 4:41 PM, Paulo Coimbra <paulo.coimbra at owasp.org>wrote:
>
>> Fabio and all,
>>
>>
>>
>> Please confirm or clarify the following course of action.
>>
>>
>>
>> 1.      Renaming of the *ESAPI Swingset RC 4 *release* *(which contains
>> the downloadable file esapi_swingsetv1.0.zip -
>> http://code.google.com/p/swingset-demo/downloads/list) to* Swingset
>> Interactive. *Additionally, appointing you as release co-leader.
>>
>> 2.      Creation of the* Swingset Demo *release* *(which contains the
>> Swingset_with_tomcat_05b2.zip* *-
>> http://code.google.com/p/owasp-esapi-java-swingset/downloads/list).
>>  Additionally, appointing Craig Younkins* *as release leader.
>>
>>
>>
>> Thanks,
>>
>> - Paulo
>>
>>
>>
>>
>>
>> Paulo Coimbra,
>>
>> OWASP Project Manager <http://www.owasp.org/index.php/User:Paulo_Coimbra>
>>
>>
>>
>> *From:* Fabio Cerullo [mailto:fcerullo at gmail.com]
>> *Sent:* quinta-feira, 17 de Março de 2011 10:05
>> *To:* Dave Wichers
>> *Cc:* Craig Younkins; chris.dickinson at gmx.ch; Chris Schmidt; Jim Manico;
>> Jeff Williams; cathal.p.courtney at aib.ie; kfealz at gmail.com; Paulo Coimbra
>>
>> *Subject:* Re: Swingset v05b2 vs. Swingset v1 confusion
>>
>>
>>
>> Dave et al,
>>
>> Please allow me to clarify the situation here:
>>
>> - Swingset v05b2: This version has been developed by Craig and it was
>> originally intended to show how ESAPI helps you to remediate vulnerabilities
>> in Swingset. This means, Swingset highlights a particular vulnerability in
>> one page, and then in another one it shows you how ESAPI fixed the issue.
>> Therefore, this is only a DEMO application showing the benefits of ESAPI for
>> Java.
>>
>> - Swingset v1.0: This version has been developed by Cathal and myself to
>> fulfill an internal training requirement at AIB. We took the backbone of
>> Swingset v05b2 and created labs for developers to use making it an
>> INTERACTIVE application. The goal of this application is to teach developers
>> about the functionality of the ESAPI library and give users a practical
>> understanding of how it can be used to protect web applications against
>> common security vulnerabilities. This customized version of Swingset has
>> been donated back to OWASP and I presented it at AppSec DC last year as Dave
>> correctly pointed out.
>>
>>
>>
>> I understand the confusion these two versions could generate and my
>> suggestion would be to rebrand them as follows:
>>
>>
>>
>> Swingset v05b2 -> Swingset Demo
>>
>> Swingset v1.0 ->   Swingset Interactive
>>
>>
>>
>> If everybody is in favour I will ask Paulo Coimbra to proceed with these
>> changes.
>>
>>
>>
>> Thank you,
>>
>>
>>
>> Fabio Cerullo
>>
>>
>> On Thu, Mar 17, 2011 at 2:47 AM, Dave Wichers <dave.wichers at owasp.org>
>> wrote:
>> >
>> > Its definitely an OWASP effort, but I think it has effectively forked
>> the ESAPI for Java Swingset as its very different. I don’t think it
>> necessarily replaces the old one. Fabio would have to let us know about
>> whether his new one incorporates most everything in the old one or if it’s a
>> separate (yet another) example ESAPI demo app.
>> >
>> >
>> >
>> > I know his version supported people to do coding labs in some manner
>> which the first version didn’t explicitly do. Fabio did a presentation on
>> what he did at AppSec DC 2010. The video of it is here:
>> http://vimeo.com/20168586, and slides:
>> http://www.owasp.org/images/2/24/Esapi_swingset_talk_dc.ppt.
>> >
>> >
>> >
>> > -Dave
>> >
>> >
>> >
>> > From: cyounkins at gmail.com [mailto:cyounkins at gmail.com] On Behalf Of
>> Craig Younkins
>> > Sent: Wednesday, March 16, 2011 4:54 PM
>> > To: Dave Wichers
>> > Cc: fcerullo at gmail.com; chris.dickinson at gmx.ch; Chris Schmidt; Jim
>> Manico; Jeff Williams; cathal.p.courtney at aib.ie; kfealz at gmail.com
>> > Subject: Re: Swingset v05b2 vs. Swingset v1 confusion
>> >
>> >
>> >
>> > My last work was on the owasp-esapi-java-swingset project.
>> >
>> >
>> >
>> > My understanding was that AIB was creating a customized version of the
>> Swingset, which is the swingset-demo project. I hadn't heard that it was
>> approved to replace the previous version. The swingset-demo project does not
>> indicate it is an OWASP project, so linking to it from the OWASP page as if
>> it is one kinda bothers me. It's unclear to me whether or not it is an OWASP
>> project.
>> >
>> >
>> >
>> > Craig Younkins
>> >
>> >
>> >
>> > On Wed, Mar 16, 2011 at 1:20 PM, Dave Wichers <dave.wichers at owasp.org>
>> wrote:
>> >
>> > I think Fabio can best answer this as he is the author of the latest
>> version of the Swingset app.
>> >
>> >
>> >
>> > I believe Craig Younkins was the last person to work on the previous
>> version.
>> >
>> >
>> >
>> > Fabio – once we get this clarified can we update our website to make
>> this more clear to minimize confusion for other interested parties in the
>> future?
>> >
>> >
>> >
>> > Thanks, Dave
>> >
>> >
>> >
>> > From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch]
>> > Sent: Wednesday, March 16, 2011 1:09 PM
>> > To: Chris Schmidt; Jim Manico; Jeff Williams; craig.younkins at owasp.org;
>> cathal.p.courtney at aib.ie; fcerullo at gmail.com; kfealz at gmail.com;
>> planetlevel at gmail.com; singhpawanpreet at gmail.com; dwichers at gmail.com
>> > Subject: Swingset v05b2 vs. Swingset v1 confusion
>> > Importance: High
>> >
>> >
>> >
>> > Hello,
>> >
>> > For those of you who are not interested or not involved, please forgive
>> me for mailing this to you. Since I don't know yet who is mainly responsible
>> for Swingset, I'm writing to all of you in the hope that at least one of you
>> will turn out to be the right person (or tell me who is) !
>> >
>> > As some of you already know, I am looking into the current state of
>> ESAPI Swingset. Today something embarrassing happened. I realized I have
>> most likely been working on an OLD version of the Swingset, as I discovered
>> a second one which is quite different in many ways.
>> >
>> > On the ESAPI Swingset "Home Page" (
>> http://www.owasp.org/index.php/ESAPI_Swingset), I read early on in my
>> investigations that "All downloads are hosted on the Google Code site. You
>> can find the latest downloads for the project here." (
>> https://code.google.com/p/owasp-esapi-java-swingset/downloads/list). This
>> hosts 3 archives (source, WAR and Tomcat bundle, version "05b2")
>> >
>> > Only if you click on the tab "Project About" do you see something about
>> a "current release" pointing ultimately to a whole different Google code
>> project, this one here:
>> https://code.google.com/p/swingset-demo/downloads/list containing a
>> Swingset bundle "version 1" with instructions to import the project into
>> eclipse and run from there.
>> >
>> > I followed the "version 1" instructions today and the tutorial looks
>> quite different in deed. According to Google's activity rating, this
>> "version 1" is more active, even though there are only 2 commits.
>> >
>> > My questions to all of you, i.e. to any one who can give me an answer:
>> >
>> > What is the exact relationship between these two "versions" of Swingset
>> downloads / releases?
>> > Who would be authorized to change the OWASP ESAPI Web pages to make this
>> distinction much clearer to people like myself who want to understand what
>> Swingset is and how to use it?
>> > Whom could I contact for future questions about the current state of
>> Swingset and possible future improvements (cf. my semester project mentioned
>> in the mails below)?
>> >
>> > If any one among you could give me any indication about these issues I
>> would be most grateful!
>> >
>> > Thanks for your time,
>> >
>> > Best regards,
>> >
>> > Chris Dickinson
>> >
>> >
>> >
>> > on 03/10/2011 10:15 PM Christopher Dickinson wrote :
>> >
>> > Dear Chris, Dear Jim,
>> >
>> > A day later than planned, my professor and I decided upon the main
>> objectives for my semester project. We want to:
>> >
>> > create an extensive evaluation of the 2009 Swingset version.
>> > fix the 2009 Swingset to make sure we understand it's intended
>> functionality fully.
>> > build a new bundled Swingset version based upon the newest version of
>> the code in the SVN trunk and the insights into the 2009 version.
>> > possibly take a quick look at the state of ESAPi in general and ESAPi
>> for PHP in specific.
>> > (personally, I would like to see am easy-to-install,
>> platform-independent version of Swingset.)
>> >
>> > My professor hopes to be able to use Swingset as didactical material for
>> his classes in the future. Other projects, such as the PHP demo application
>> we had envisioned for my own semester project, will have to be done at later
>> time.
>> >
>> > I have created a slightly more detailed scope statement which you will
>> find attached. I'm sharing it with you since a new version of the Swingset
>> could be interesting for the ESAPI project as a whole and also because I
>> would appreciate your input on how you would suggest approaching the task,
>> how not to redo work that has already been done, and how to do it as
>> efficiently as possible. Most of all, if you know of anyone I could possibly
>> ask for tips along the way (e.g. the person who originally designed the
>> Swingset?), that would be very useful to me!
>> >
>> > Thanks again for your help so far.
>> >
>> > Best regards,
>> >
>> > Chris
>> >
>> > p.s. @Chris: no, I haven't committed anything yet. Neither to the PHP
>> project nor to any other ESAPI project. I'll certainly get in touch if I
>> think I have something to contribute towards the ESAPI documentation during
>> my work on Swingset.
>> >
>> > on 03/08/2011 08:48 PM Chris Schmidt wrote :
>> >
>> > There are no steps right now – tell me you want to do it and it’s all
>> you.
>> >
>> > Have you been commiting to the php project recently? It is leaderless
>> right now and I am about to put out a call to the php devs for a new leader
>> to step up. Watch your inbox if you’re interested. :)
>> >
>> > A note on the documentation. Our hope is to be able to pull enough good
>> documentation together to publish an ESAPI book soon. So any contributers
>> will be published authors.
>> >
>> >
>> > On 3/8/11 2:42 PM, "Christopher Dickinson" <chris.dickinson at gmx.ch>
>> wrote:
>> >
>> >   Thanks :-). I'm doing this work as part of a semester project and will
>> know more about the requirements tomorrow. I might possibly be working with
>> ESAPI for PHP.
>> >
>> >  In general, what are the required steps to be able to participate in
>> the documentation? In Java, in PHP? I may very well be motivated to document
>> whatever I find missing during my work on whatever it is my prof puts me on.
>> >
>> >  Best regards,
>> >
>> >  Chris
>> >
>> >  on 03/08/2011 08:32 PM Chris Schmidt wrote :
>> >
>> >  Re: [Esapi-user] ESAPI book Absolutely – if you are interested in
>> talking about doing some formal ESAPI for Java documentation, let me know.
>> You seem to have a clear writing style and communicate well and we
>> desperately need some people to take on documentation. :)
>> >
>> >
>> >  On 3/8/11 2:29 PM, "Christopher Dickinson" <chris.dickinson at gmx.ch>
>> wrote:
>> >
>> >
>> >
>> >   Dear Chris,
>> >
>> >   As I already answered privately to Jim, I'm very happy to hear that my
>> analysis might be of some use to ESAPI folks. Thanks for your feed-back.
>> >
>> >   Best regards,
>> >
>> >   another Chris
>> >
>> >   on 03/08/2011 08:25 PM Chris Schmidt wrote :
>> >
>> >
>> >  Re: [Esapi-user] ESAPI book This is a very solid analysis – thank you
>> so much Chris! Now, who’s gonna start bringin it up to snuff? :)
>> >
>> >
>> >   On 3/8/11 1:21 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>> >
>> >
>> >
>> >
>> > What an outstanding analysis of the ESAPI Swingset! Thank for you this
>> Chris!
>> >
>> >
>> https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de&authkey=CPPQzqYN
>> >
>> >   When this document is done, would you please consider wikifying this
>> and placing it on the ESAPI wiki?
>> >
>> >   If you do not wish to do this, do you mind if we do?
>> >
>> >   Thanks all,
>> >   Jim
>> >
>> >
>> >   From: Christopher Dickinson [mailto:christopher.dickinson at edu.hefr.ch
>> ]
>> >   Sent: Monday, March 07, 2011 11:53 PM
>> >   To: Jim Manico
>> >   Cc: Rudolf Scheurer
>> >   Subject: Re: ESAPI book
>> >
>> >   Dear Jim,
>> >
>> >   Thank you for your response. It would be fun to complete the tutorial.
>> However, it is possible I'll be working on a demo application in PHP in
>> stead. Not decided yet.
>> >
>> >   Here's a link to my exploration of swingset, also very much "work in
>> progress", but if it can be of some use, I'll gladly share it with you.
>> >
>> >
>> https://docs.google.com/document/d/1cmkpheaBZ3gn0DYX0fVw0NIyTBrA7-BzG1s81rxOM7M/edit?hl=de&authkey=CPPQzqYN
>> >
>> >   Best regards,
>> >
>> >   Chris
>> >
>> >   on 03/08/2011 07:14 AM Jim Manico wrote :
>> >   Chris,
>> >
>> >   Answers inline:
>> >
>> >
>> >
>> >
>> > Dear Jim,
>> >
>> >   I am working my way through the bundled Tomcat+Swingset demo, writing
>> >   down my discoveries along the way.
>> >
>> >   So far I have found various bugs that look like Swingset was not
>> >   finished when published. Take for example the page
>> >   http://localhost:8080/main?function=ChangePassword&insecure which,
>> when
>> >   submitted, attempts to load the non-existant page
>> >   http://localhost:8080/main?function=ChangePasswordInsecure. I see
>> that
>> >   this has been changed in the most recent version on Google Code.
>> >   Similarly, the XSS page wrongly displays the User Input Validation
>> >   Tutorial, whereas the most recent version on Google Code has fixed
>> that
>> >   and seems to have a proper XSS tutorial.
>> >
>> >
>> >
>> >
>> >   This is not you - the swingset is not complete. Its a work in
>> progress.
>> >
>> >
>> >
>> >
>> >
>> > Other things remain puzzling. E.g. the Login tutorial still shows a
>> >   mostly empty page for the insecure demo
>> >   (
>> https://code.google.com/p/owasp-esapi-java-swingset/source/browse/trunk/webapp/src/main/webapp/WEB-INF/jsp/LoginInsecure.jsp
>> ).
>> >
>> >
>> >
>> >
>> >   This is again, not you...
>> >
>> >
>> >
>> >
>> >   Before I continue doing work that has surely been done before, would
>> you
>> >   have any idea if there is an available list of unfinished parts of
>> >   either the published (bundled ZIP) version of Swingset or else of the
>> >   most recent source code of Swingset?
>> >
>> >
>> >
>> >
>> >   There is not that I know of. We really need someone to "own" this
>> piece
>> >   of code and keep it up to date. We are desperate for more help on
>> this!
>> >
>> >
>> >
>> >
>> >
>> > For the moment I'm doing this work merely as part of a global evaluation
>> >   of ESAPI Swingset. If I ever did attempt to rebundle the latest
>> version,
>> >   I'll need to know what issues remain and which ones I might want to
>> fix
>> >   before creating a new bundle.
>> >
>> >
>> >
>> >
>> >   Do you have time to list those issues out? We really lost track of
>> this
>> >   piece of code. It needs some love. :)
>> >
>> >   Thank you, very much, for this help.
>> >
>> >   - Jim
>> >
>> >
>> >
>> >
>> >
>> >
>> >   Thank you for your help!
>> >
>> >   Best regards,
>> >
>> >   Chris
>> >
>> >   p.s. I haven't downloaded and compiled the latest version of Swingset.
>> >   Do you happen to know if it is in a stable state? Would it be worth
>> >   examining that version in stead of the tomcat+swingset version I'm
>> >   currently working with?
>> >
>> >   on 03/03/2011 08:50 AM Jim Manico wrote :
>> >
>> >
>> >
>> >
>> >
>> > So far I have the impression that ESAPI for Java was the first and still
>> >   is the most active project of all language specific ESAPI versions.
>> Can
>> >   you confirm that?
>> >
>> >
>> >
>> >  Agreed! You can see this in the google code activity metric.
>> >
>> >
>> >    Also, can you confirm that ESAPI for Java would be the
>> >
>> >
>> >
>> > best place to start for getting to know ESAPI? I noticed that the
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> >
>> >
>> >
>> > Christopher Dickinson
>> >
>> > Blvd. de Pérolles 93
>> >
>> > CH-1700 Fribourg
>> >
>> >
>> >
>> > chris.dickinson at gmx.ch
>> >
>> > +41'76'468'01'02
>> >
>> >
>> >
>> > --
>> >
>> >
>> >
>> > Christopher Dickinson
>> >
>> > Blvd. de Pérolles 93
>> >
>> > CH-1700 Fribourg
>> >
>> >
>> >
>> > chris.dickinson at gmx.ch
>> >
>> > +41'76'468'01'02
>> >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20110318/3888ce3b/attachment-0001.html 


More information about the Global-projects-committee mailing list