[owasp-intrinsic-security] [Owasp-leaders] Web application framework security comparison

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Jan 28 13:31:46 EST 2009

Thanks so much for your feedback! 
1. I'm not sure what the implications of this are. Basically, we want an API for rotating the session ID, and if I'm reading this right it looks like this simply creates a new session ID when one expires - so we don't have the control we're looking for. This may impact #2.
2. This is an interesting protection. It essentially makes all your idle timeout an absolute timeout. So, you can have one or the other. Since most people will probably prefer idle timeouts, I think we have a need for a specifically absolute mechanism that is seperate from idle timeout.
3. You are definitely right. After giving a glance to that functionality I didn't think it had everything we need, but now I see it offers a good amount of flexibility. Updated.
4. Is there any other way to start processes? Updated.
5. We decided that there is a need for this type of API. Basic serialization and deserialization is definitely good to use, but there is XML everywhere on the web these days, and sometimes its usage is not an elegantly architected system, and somebody is going to need a dirty API for making this work.
6. Plugins are not considered. =]
7. Fair enough! Updated.


From: owasp-leaders-bounces at lists.owasp.org on behalf of Calderon, Juan Carlos (GE, Corporate,consultant)
Sent: Wed 1/28/2009 12:07 PM
To: owasp-leaders at lists.owasp.org; owasp-intrinsic-security at lists.owasp.org
Subject: Re: [Owasp-leaders] Web application framework security comparison

HI Arshan
I double checked the classic ASP list and I think I have no further recommendations
I do have comments on the .NET side, though.
1. Session rotating. supported though the "regenerateExpiredSessionId" attribute of "Web/sessionState" element in web.config see this reference http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx
2. Absolute timeouts. Supported when using Forms authentication. This, by setting the "slidingExpiration" attribute to "False" at the "Web/authentication/forms" element see this reference http://msdn.microsoft.com/en-us/library/532aee0e.aspx
3. Functional authorization. Supported though role based authorization http://www.asp.net/learn/security/tutorial-11-cs.aspx either programmatically or using source code attributes. And via Source Code Access Security http://msdn.microsoft.com/en-us/library/930b76w0.aspx.
4. Parameterized System Calls. They are parameterized already, check this link http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx <http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx> , injection is not allowed in Process.Start method. (I have tried it :) )
5. API for XML encoding and XML attribute encoding. Supported on .NET XML objects, see this reference for encoding property of XMLWritter class. http://msdn.microsoft.com/en-us/library/system.xml.xmlwritersettings.encoding.aspx. There is no EncodeXML function or similar but that is becuase that is not the way is supposed to work. You should not be creating XML in a string and throw it away.
6. API for CSS encoding and Rich Input validation. What is the name of that OWASP project?..... Oh yes, Anti-Sammy project .NET :P https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET 
7. Detailed Messages Off by Default. They are off by default to non-localhost users as error messages setting is set as "Remote Only" by default. I know it is not an absolute "Off" but it is restricted enough to consider it covered with an attached note on the restriction, don't you think :)?
About J2EE
1. AFAIK detailed messages are not off by default, but since recent versions all the stacktrace information is sent to the console not to the web browser, although is not a safe approach is also restrictive for application information gathering, Someone that can give more info on this?

Juan Carlos Calderon 


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Arshan Dabirsiaghi
Sent: Miércoles, 28 de Enero de 2009 09:42 a.m.
To: owasp-intrinsic-security at lists.owasp.org
Cc: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Web application framework security comparison

Thanks to those of you who made it out to Portugal for the EU Summit. One of our working sessions was focused on creating a consumer report on the security provided by web application frameworks. After some huge initial draft work there, I'm happy to have a beta ready. Of course maintaining this will be a moving target, but right now I'm soliciting a last call for comments and suggestions before making it available to the world at large.
The key is on the spreadsheet. Ideally I would like every tuple that's not "No Plans" to have a supporting comment or link. If you can provide one or can argue for a different value for any tuple, please get back to me soon.
Thanks to everyone for all your help up to this point - let's get this thing finished so we can get it out the public. I'm sorry I can't let everyone have edit privileges, but I had to make a million reverts when I did that before because I wasn't clear enough with my goals for the spreadsheet, so please just email me and the group your suggestions!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20090128/1a4c332f/attachment.html 

More information about the owasp-intrinsic-security mailing list