[Owasp-leaders] Web application framework security comparison

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Wed Jan 28 12:07:56 EST 2009

HI Arshan
I double checked the classic ASP list and I think I have no further recommendations
I do have comments on the .NET side, though.
1. Session rotating. supported though the "regenerateExpiredSessionId" attribute of "Web/sessionState" element in web.config see this reference http://msdn.microsoft.com/en-us/library/h6bb9cz9.aspx
2. Absolute timeouts. Supported when using Forms authentication. This, by setting the "slidingExpiration" attribute to "False" at the "Web/authentication/forms" element see this reference http://msdn.microsoft.com/en-us/library/532aee0e.aspx
3. Functional authorization. Supported though role based authorization http://www.asp.net/learn/security/tutorial-11-cs.aspx either programmatically or using source code attributes. And via Source Code Access Security http://msdn.microsoft.com/en-us/library/930b76w0.aspx.
4. Parameterized System Calls. They are parameterized already, check this link http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx <http://msdn.microsoft.com/en-us/library/system.diagnostics.processstartinfo.aspx> , injection is not allowed in Process.Start method. (I have tried it :) )
5. API for XML encoding and XML attribute encoding. Supported on .NET XML objects, see this reference for encoding property of XMLWritter class. http://msdn.microsoft.com/en-us/library/system.xml.xmlwritersettings.encoding.aspx. There is no EncodeXML function or similar but that is becuase that is not the way is supposed to work. You should not be creating XML in a string and throw it away.
6. API for CSS encoding and Rich Input validation. What is the name of that OWASP project?..... Oh yes, Anti-Sammy project .NET :P https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project_.NET 
7. Detailed Messages Off by Default. They are off by default to non-localhost users as error messages setting is set as "Remote Only" by default. I know it is not an absolute "Off" but it is restricted enough to consider it covered with an attached note on the restriction, don't you think :)?
About J2EE
1. AFAIK detailed messages are not off by default, but since recent versions all the stacktrace information is sent to the console not to the web browser, although is not a safe approach is also restrictive for application information gathering, Someone that can give more info on this?

Juan Carlos Calderon 


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Arshan Dabirsiaghi
Sent: Miércoles, 28 de Enero de 2009 09:42 a.m.
To: owasp-intrinsic-security at lists.owasp.org
Cc: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Web application framework security comparison

Thanks to those of you who made it out to Portugal for the EU Summit. One of our working sessions was focused on creating a consumer report on the security provided by web application frameworks. After some huge initial draft work there, I'm happy to have a beta ready. Of course maintaining this will be a moving target, but right now I'm soliciting a last call for comments and suggestions before making it available to the world at large.
The key is on the spreadsheet. Ideally I would like every tuple that's not "No Plans" to have a supporting comment or link. If you can provide one or can argue for a different value for any tuple, please get back to me soon.
Thanks to everyone for all your help up to this point - let's get this thing finished so we can get it out the public. I'm sorry I can't let everyone have edit privileges, but I had to make a million reverts when I did that before because I wasn't clear enough with my goals for the spreadsheet, so please just email me and the group your suggestions!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090128/d374f9af/attachment.html 

More information about the OWASP-Leaders mailing list