[Owasp-leaders] ZAP as a Service

Jim Manico jim.manico at owasp.org
Thu May 28 16:15:18 UTC 2015


Avoid any UI/Template framework that...

1) Forces you to do output encoding/escaping manually or does not do 
context aware auto-escaping.
2) Is lacking HTML sanitization
3) Does not support CSP

The two best UI platforms right now (in terms of XSS resistance), IMO, 
are Go Templates and Angular.

Aloha,
Jim


On 5/28/15 5:38 PM, psiinon wrote:
> I was going to have this discussion on the ZAP Dev Group, but I'm also 
> very interested to here the opinions of the members of this list :)
>
> Angular is definitely on my list to look closely at, as is React.js
>
> Any other suggestions, either to look at or avoid?
>
> Many thanks,
>
> Simon
>
> On Thu, May 28, 2015 at 4:27 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     I personally recommend Angular templates. This is quickly becoming
>     the defacto-standard for XSS resistant templating. It's one of the
>     only popular context-aware auto-escaping templates, it has a
>     built-in HTML sanitizer, and it offers an integrated CSP module.
>
>     If you have a greenfield project choice - go angular. Just make
>     sure your developers are using the HTML sanitizer anytime they
>     disable escaping for a certain field.
>
>     Aloha,
>     Jim
>
>
>
>
>
>     On 5/28/15 4:38 PM, Dinis Cruz wrote:
>>     Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you
>>     want a NodeJS front-end that runs with Jade Templates (with no or
>>     minimal Javascript)
>>
>>     That is what we spend our days coding in :)
>>
>>     Dinis
>>
>>     On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com
>>     <mailto:psiinon at gmail.com>> wrote:
>>
>>         We certainly dont want to hand-craft a load of JS and cope
>>         with all of the different browser variations ;)
>>         So yes, I expect we'll be using a JS framework.
>>         I've started investigating them, but its early days - this is
>>         one we'll definitely be discussing on the ZAP Developer Group.
>>
>>         Cheers,
>>
>>         Simon
>>
>>         On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel
>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>         wrote:
>>
>>             Hi Simon
>>
>>
>>             You mentioned you will use HTML5 , are you planning to
>>             use this in combination with any JavaScript frameworks or
>>             the use of JSP could be implemented?
>>
>>             regards
>>
>>             Johanna
>>
>>             On Thu, May 28, 2015 at 7:23 AM, psiinon
>>             <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>>
>>                 Leaders,
>>
>>                 Last week at Amsterdam I announced a new direction
>>                 for ZAP - ZAP as a Service (ZaaS).
>>                 I've just published a blog post which gives a few
>>                 more details:
>>                 http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>>
>>                 I think this is a major development for ZAP, which is
>>                 why I've posted to this list ;)
>>
>>                 Cheers,
>>
>>                 Simon
>>
>>                 -- 
>>                 OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>>                 Project leader
>>
>>                 _______________________________________________
>>                 OWASP-Leaders mailing list
>>                 OWASP-Leaders at lists.owasp.org
>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>>         -- 
>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org  <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150528/12f0a4fe/attachment-0001.html>


More information about the OWASP-Leaders mailing list