[Owasp-leaders] Web application framework security comparison
Calderon, Juan Carlos (GE, Corporate, consultant)
juan.calderon at ge.com
Wed Jan 28 12:07:56 EST 2009
I double checked the classic ASP list and I think I have no further recommendations
I do have comments on the .NET side, though.
1. Session rotating. supported though the "regenerateExpiredSessionId" attribute of "Web/sessionState" element in web.config see this reference http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx
2. Absolute timeouts. Supported when using Forms authentication. This, by setting the "slidingExpiration" attribute to "False" at the "Web/authentication/forms" element see this reference http://msdn.microsoft.com/en-us/library/532aee0e.aspx
3. Functional authorization. Supported though role based authorization http://www.asp.net/learn/security/tutorial-11-cs.aspx either programmatically or using source code attributes. And via Source Code Access Security http://msdn.microsoft.com/en-us/library/930b76w0.aspx.
4. Parameterized System Calls. They are parameterized already, check this link http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx <http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx> , injection is not allowed in Process.Start method. (I have tried it :) )
5. API for XML encoding and XML attribute encoding. Supported on .NET XML objects, see this reference for encoding property of XMLWritter class. http://msdn.microsoft.com/en-us/library/system.xml.xmlwritersettings.encoding.aspx. There is no EncodeXML function or similar but that is becuase that is not the way is supposed to work. You should not be creating XML in a string and throw it away.
6. API for CSS encoding and Rich Input validation. What is the name of that OWASP project?..... Oh yes, Anti-Sammy project .NET :P https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET
7. Detailed Messages Off by Default. They are off by default to non-localhost users as error messages setting is set as "Remote Only" by default. I know it is not an absolute "Off" but it is restricted enough to consider it covered with an attached note on the restriction, don't you think :)?
1. AFAIK detailed messages are not off by default, but since recent versions all the stacktrace information is sent to the console not to the web browser, although is not a safe approach is also restrictive for application information gathering, Someone that can give more info on this?
Juan Carlos Calderon
From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Arshan Dabirsiaghi
Sent: Miércoles, 28 de Enero de 2009 09:42 a.m.
To: owasp-intrinsic-security at lists.owasp.org
Cc: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Web application framework security comparison
Thanks to those of you who made it out to Portugal for the EU Summit. One of our working sessions was focused on creating a consumer report on the security provided by web application frameworks. After some huge initial draft work there, I'm happy to have a beta ready. Of course maintaining this will be a moving target, but right now I'm soliciting a last call for comments and suggestions before making it available to the world at large.
The key is on the spreadsheet. Ideally I would like every tuple that's not "No Plans" to have a supporting comment or link. If you can provide one or can argue for a different value for any tuple, please get back to me soon.
Thanks to everyone for all your help up to this point - let's get this thing finished so we can get it out the public. I'm sorry I can't let everyone have edit privileges, but I had to make a million reverts when I did that before because I wasn't clear enough with my goals for the spreadsheet, so please just email me and the group your suggestions!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders