[owasp-intrinsic-security] Fwd: Defending XSSAttachs-by Browsers

Robert Hansen robert at sectheory.com
Tue Sep 2 13:02:08 EDT 2008


                Yes, for legal reasons eBay cannot modify listings since it messes up the integrity of the page.  Anti-samy changes the page, and removes JavaScript (even valid JavaScript that is allowed).  It's good for some sites, it's just not good for everyone.

                I guess you could recommend SSP to them, it's just like recommending they use the next version of the HTML standard - they're already planning on it.  It'll just take time, like any browser changes.

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299

From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com]
Sent: Tuesday, September 02, 2008 10:04 AM
To: Robert Hansen; owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Fwd: Defending XSSAttachs-by Browsers

Agree with you on mostly everything here. Just two things:

> Anti-Samy is great, but it again flies in the face of completely open HTML.

Can you elaborate? You can paste any kind of code into AntiSamy - dirty, broken fragmented HTML or clean code generated from a WYSIWYG.

> As I said, this is not a suggestion we as a group need to make.  It's already well understood by both FF and
> IE and has been since I first started talking about it with them 3-4 years ago.

Even if they are aware of it, I think we should still recommend it (and the jail). This group is as much about implementing real life solutions to webappsec problems as it is drawing a line in the sand in a non-confrontational way. There is value in saying "Today, September 1st, OWASP is telling the world as a publicly recognized authority, these are the security technologies that will help protect consumers."

Cheers,
Arshan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20080902/83005fef/attachment-0001.html 


More information about the owasp-intrinsic-security mailing list