[Owasp-guide] Volunteering for Output Encoding Chapter

Kevin W. Wall kevin.w.wall at gmail.com
Thu May 17 15:25:56 UTC 2012


Perhaps the approach should be to first describe all the common defensive
techniques;
e.g., input validation, canonicalization, output encoding, sandboxing,
cryptography, etc.
followed by some specific sections to address common vulnerabilities such
as XSS.
That means that the XSS section (say) could be a lot shorter because the
background
of all the defensive techniques would have already been described and all
you would
need to do would be to show how to make all the relevant defenses play
together
correctly to address the problem at hand.

-kevin

On Thu, May 17, 2012 at 11:00 AM, Jim Manico <jim.manico at owasp.org> wrote:

> I'd personally like to see both an Output Encoding section AND a XSS
> defense section.
>
> XSS defense involves:
>
> Output Encoding, Input validation, safe json parsing, sandboxing, DOM XSS
> api avoidance, HTML policy based validation, etc. XSS defense is way WAY
> more than just OE.
>
> Aloha,
>
> --
> Jim Manico
> VP, Security Architecture
> WhiteHat Security
> (808) 652-3805
>
> On May 16, 2012, at 9:02 PM, Abraham Kang <abraham.kang at owasp.org> wrote:
>
> I think output encoding can apply to any executable context including
> command line output, xml, shell script, sql.  If the chapter is to focused
> on xss, I can modify it.
>
> --Abe
> On May 14, 2012 8:10 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
>>  Abe,
>>
>> Can we rename the output encoding section and call it "XSS Prevention"
>> instead?
>>
>> Complete XSS prevention requires validation, HTML policy validation,
>> proper JSON parsing and a host of other techniques other than just output
>> encoding.
>>
>> Fair? Interested?
>>
>> Aloha,
>> Jim
>>
>>
>>  I want to volunteer to take the Output Encoding Chapter.  I added the
>> chapter a while ago but it has been sitting idle.
>>
>> The content is pretty much done but may need minor reorganization.
>>
>> Regards,
>> Abe
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-guide mailing listOwasp-guide at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-guide
>>
>>
>>
>> --
>> Jim Manico
>>
>> Connections Committee Chair
>> Cheatsheet Series Product Manager
>> OWASP Podcast Producer/Host
>>
>> jim at owasp.org
>> www.owasp.org
>>
>
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-guide
>
>


-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20120517/9aa550e7/attachment-0001.html>


More information about the Owasp-guide mailing list