[Owasp-guide] Volunteering for Output Encoding Chapter

Tim Kulp timkulp at live.com
Thu May 17 18:01:31 UTC 2012

Typo indeed...sorry!

Another thought, one way that I always illustrate a best practice is to show the attack first. Should we perhaps have a section of attack demonstrations and then show how each defense works as a layer to protect against it?

From: Kevin W. Wall 
Sent: Thursday, May 17, 2012 11:25 AM
To: Jim Manico 
Cc: owasp-guide at lists.owasp.org ; Abraham Kang 
Subject: Re: [Owasp-guide] Volunteering for Output Encoding Chapter

Perhaps the approach should be to first describe all the common defensive techniques;
e.g., input validation, canonicalization, output encoding, sandboxing, cryptography, etc.
followed by some specific sections to address common vulnerabilities such as XSS.
That means that the XSS section (say) could be a lot shorter because the background
of all the defensive techniques would have already been described and all you would
need to do would be to show how to make all the relevant defenses play together
correctly to address the problem at hand.


On Thu, May 17, 2012 at 11:00 AM, Jim Manico <jim.manico at owasp.org> wrote:

  I'd personally like to see both an Output Encoding section AND a XSS defense section.

  XSS defense involves:

  Output Encoding, Input validation, safe json parsing, sandboxing, DOM XSS api avoidance, HTML policy based validation, etc. XSS defense is way WAY more than just OE.


  Jim Manico
  VP, Security Architecture
  WhiteHat Security
  (808) 652-3805

  On May 16, 2012, at 9:02 PM, Abraham Kang <abraham.kang at owasp.org> wrote:

    I think output encoding can apply to any executable context including command line output, xml, shell script, sql.  If the chapter is to focused on xss, I can modify it.


    On May 14, 2012 8:10 PM, "Jim Manico" <jim.manico at owasp.org> wrote:


      Can we rename the output encoding section and call it "XSS Prevention" instead?

      Complete XSS prevention requires validation, HTML policy validation, proper JSON parsing and a host of other techniques other than just output encoding. 

      Fair? Interested?


I want to volunteer to take the Output Encoding Chapter.  I added the
chapter a while ago but it has been sitting idle.

The content is pretty much done but may need minor reorganization.



Owasp-guide mailing list
Owasp-guide at lists.owasp.org

      Jim Manico

      Connections Committee Chair
      Cheatsheet Series Product Manager
      OWASP Podcast Producer/Host

      jim at owasp.org

  Owasp-guide mailing list
  Owasp-guide at lists.owasp.org

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

Owasp-guide mailing list
Owasp-guide at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-guide/attachments/20120517/9e3f48b6/attachment.html>

More information about the Owasp-guide mailing list