[Owasp-leaders] Generating Passwords Hopw

Jim Manico jim.manico at aspectsecurity.com
Sat Jan 24 20:29:38 EST 2009


> So, are we doing the same for BEA and IBM in terms of their J2EE containers? 
 
Oracle (acquired BEA Jan 08) Weblogic is not playing ball at all: http://coding-insecurity.blogspot.com/2008/12/oracle-just-doesn-get-it.html
 
Apache Tomcat JSESSIONID Cookie: Some wise, good looking developer submitted a patch to Apache Tomcat, which is close to going live in Tomcat 7 for sure soon (aiming to be a 3.0 servlet container). The core developers are voting to decide on wether to include HTTPOnly support for Tomcat 5/6 right now. https://issues.apache.org/bugzilla/show_bug.cgi?id=44382
 
IBM Websphere: (Sept 08) "WebSphere Application Server has been modified to properly recognize, accept and process HTTP-Only cookies. This support is targeted for fixpacks 6.0.2.21 and 6.1.0.11. Please review the recommended updates page at http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004980  for more information."
-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security(tm)
Securing your applications at the source
http://www.aspectsecurity.com

________________________________

From: owasp-leaders-bounces at lists.owasp.org on behalf of McGovern, James F (HTSC, IT)
Sent: Fri 1/23/2009 3:37 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw


So, are we doing the same for BEA and IBM in terms of their J2EE containers? Can we also do this for Ruby? What reusable docs can we leverage?

________________________________

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, January 23, 2009 4:11 AM
To: jeff.williams at owasp.org; owasp-leaders at lists.owasp.org; owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw


I want to back up Jeff's conjecture about the power of OWASP talking to Sun regarding the Servlet 3.0 spec.
 
I introduced Jeff to some folks at Sun, and Jeff ended up volunteering an enormous amount of time iterating with the Servlet 3.0 spec team over a large number of issues, beyond what you see below. I had the pleasure of watching some of the conversation. 
 
I also track the developers list at Apache Tomcat. They were dragging their heels regarding HTTPOnly support. As soon as the Servlet 3.0 spec was republished to include HTTPOnly support, the Apache Tomcat team immediatly agreed to implement it in Tomcat 7, which is a Servlet 3.0 engine in progress. It's also being considered for Tomcat 5/6. 
 
If it were not for Jeff's efforts in talking to the servlet 3.0 spec team, the Tomcat team would not have bothered with HTTPOnly and other issues Jeff addresses below. The entire next generation of Servlet container developers and companies will religiously look to the Servlet 3.0 specification. Bugs in the servlet container developer wiki's and the like will constantly refer back to this specification as the develop the next gen of servlet containers.
 
Sure, Jeff is my boss, but he will be the first to tell you I give him a hard time when I do not agree. Check out the ESAPI email archives for proof! :)
 
I feel that what Jeff did in talking to the Servlet team is one of the most powerful ways we can spend time as OWASP - convincing the next generation of frameworks to include "baked in" security measures that address the OWASP Top 10 and the like in ways that make it easier for developers to get it right!
-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security
Securing your applications at the source
http://www.aspectsecurity.com

________________________________

From: owasp-leaders-bounces at lists.owasp.org on behalf of Jeff Williams
Sent: Wed 1/21/2009 8:28 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw



Hi Stephen,

I'm pretty surprised by your response. The Servlet spec is a framework of
sorts actually. I think figuring out what level(s) to focus on is a good
discussion for the leaders list. The details below we can take to the Java
list if you want to go into more detail there.

Here are the items I've been working  on. Let me know if you think these
should be in Servlet or in a framework.

1) Disallow CR and LF in all HTTP headers. This will stop all
response-splitting/tunneling and file download injection attacks.

2) Disallow unlisted http-methods in security-constraints. This prevents the
bypass of authentication and access control by using verbs like HEAD, JEFF,
etc...

3) Provide support for a cross-site request forgery (CSRF) token. Would
require a token for any pages with a security-constraint in web.xml.

4) Enable HttpOnly flag on JSESSIONID. To prevent one bad consequence of
XSS.

5) Add a security note to 7.1.3 URL Rewriting. Originally I wanted this
removed, but they said no way. This method puts ;jessionid=9823429347 on the
URL.

6) Encoding/escaping support. To make it easy to properly escape data for
the appropriate HTML context.

--Jeff


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
Sent: Wednesday, January 21, 2009 10:33 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw


I think trying to get web security issues addressed in the servlet 
spec is aiming at too low a level.  You might have better luck with 
web frameworks projects instead.  Similarly with Ruby, the language 
itself is too low level, but getting security features added to the 
Rails framework might be more feasible.


On Jan 21, 2009, at 3:58 PM, McGovern, James F (HTSC, IT) wrote:

> Is there merit in doing the same type of activity with the Ruby
> community?
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff
> Williams
> Sent: Tuesday, January 20, 2009 11:39 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Generating Passwords Hopw
>
> Hi,
>
> I have been working with Sun and the rest of the Servlet team to get
> some better security into the Java Servlet 3.0 specification for the
> last year or so. While it has been interesting and somewhat 
> productive,
> it is *extremely* difficult to get them to acknowledge the idea that
> their APIs need to change for security. I heard every excuse you can
> think of (compatibility, performance, usability, complexity, insanity,
> etc...). Anyway, while I think the goal is good, I'm not optimistic
> about the prospects for just "providing feedback."  I'm leaning 
> towards
> the ESAPI approach of providing safe wrappers or replacements for 
> unsafe
> methods.
>
> --Jeff
> ************************************************************
> This communication, including attachments, is for the exclusive use 
> of addressee and may contain proprietary, confidential and/or 
> privileged information.  If you are not the intended recipient, any 
> use, copying, disclosure, dissemination or distribution is strictly 
> prohibited.  If you are not the intended recipient, please notify 
> the sender immediately by return e-mail, delete this communication 
> and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090124/42189d33/attachment.html 


More information about the OWASP-Leaders mailing list