<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Jan,<br>
    <br>
    This is largely 2012-2013 era research and many of these vectors
    have been fixed by the various JS framework authors.<br>
    <br>
    Some updated research is needed in this area and be sure to keep
    your frameworks up to date! :)<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/2/15 1:41 PM,
      <a class="moz-txt-link-abbreviated" href="mailto:jan.kopecky@owasp.org">jan.kopecky@owasp.org</a> wrote:<br>
    </div>
    <blockquote cite="mid:556e15f3.446bb40a.20b1.ffffe1c3@mx.google.com"
      type="cite">
      <meta name="generator" content="Windows Mail 17.5.9600.20856">
      <style data-externalstyle="true"><!--
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
}
p.MsoNormal, li.MsoNormal, div.MsoNormal {
margin:0in;
margin-bottom:.0001pt;
}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst, 
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle, 
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:115%;
}
--></style>
      <div data-externalstyle="false" dir="ltr" style="font-family:
        'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei UI',
        'Microsoft JhengHei UI', 'Malgun Gothic',
        'sans-serif';font-size:12pt;">
        <div>Hello all,</div>
        <div><br>
        </div>
        <div>I believe most of you already know this, but just to be
          sure:</div>
        <div><br>
        </div>
        <div><a moz-do-not-send="true"
            href="https://code.google.com/p/mustache-security/"
            target="_parent">https://code.google.com/p/mustache-security/</a></div>
        <div><br>
        </div>
        <div>Mario is responsible for this one. Very interesting reading
          when dealing with any JS MVC Framework.</div>
        <div><br>
        </div>
        <div>Thank you,</div>
        <div><br>
        </div>
        <div>Jan<br>
        </div>
        <div data-signatureblock="true">
          <div><br>
          </div>
          <div>Sent from Surface Pro</div>
          <div><br>
          </div>
        </div>
        <div style="padding-top: 5px; border-top-color: rgb(229, 229,
          229); border-top-width: 1px; border-top-style: solid;">
          <div><font style="line-height: 15pt; letter-spacing: 0.02em;
              font-family: "Calibri", "Segoe UI",
              "Meiryo", "Microsoft YaHei UI",
              "Microsoft JhengHei UI", "Malgun
              Gothic", "sans-serif"; font-size: 12pt;"
              face=" 'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei
              UI', 'Microsoft JhengHei UI', 'Malgun Gothic',
              'sans-serif'"><b>From:</b> <a moz-do-not-send="true"
                href="mailto:jim.manico@owasp.org" target="_parent">Jim
                Manico</a><br>
              <b>Sent:</b> ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM<br>
              <b>To:</b> <a moz-do-not-send="true"
                href="mailto:matt.tesauro@owasp.org" target="_parent">Matt
                Tesauro</a>, <a moz-do-not-send="true"
                href="mailto:eoin.keary@owasp.org" target="_parent">Eoin
                Keary</a><br>
              <b>Cc:</b> <a moz-do-not-send="true"
                href="mailto:owasp-leaders@lists.owasp.org"
                target="_parent">owasp-leaders@lists.owasp.org</a></font></div>
        </div>
        <div><br>
        </div>
        <div dir=""> Whoa!<br>
          <br>
          > <span style="font-size: 12.8px;">Assuming you will do a
            REST API, I'd strongly suggest you shoot for level 2 or
            ideally level 3 that Fowler writes about at:</span>
          <div><span style="font-size: 12.8px;"><a
                moz-do-not-send="true"
                href="http://martinfowler.com/articles/richardsonMaturityModel.html"
                target="_parent">http://martinfowler.com/articles/richardsonMaturityModel.html</a><br>
              <br>
              What a great REST resource. It's very helpful in terms of
              education. Thanks for passing this along, Matt.<br>
              <br>
              Looking to seeing ZaaS go live. :)<br>
              <br>
              Aloha,<br>
              Jim<br>
              <br>
              <br>
              <br>
            </span></div>
          <br>
          <div class="moz-cite-prefix">On 5/29/15 12:28 PM, Matt Tesauro
            wrote:<br>
          </div>
          <blockquote style="margin-top: 0px; margin-bottom: 0px;"
cite="mid:CALKUk+NiQU_T9JLB4n9-X7fotRQuYbqkHYg2eHuZRav+u0tO6Q@mail.gmail.com">
            <div dir="ltr">> <span style="font-size: 12.8px;">the
                backend can be 100% API based</span>
              <div><span style="font-size: 12.8px;"><br>
                </span></div>
              <div><span style="font-size: 12.8px;">Which is awesome for
                  those of us who want to automate and completely skip
                  the UI.</span></div>
              <div><span style="font-size: 12.8px;"><br>
                </span></div>
              <div><span style="font-size: 12.8px;">Assuming you will do
                  a REST API, I'd strongly suggest you shoot for level 2
                  or ideally level 3 that Fowler writes about at:</span></div>
              <div><span style="font-size: 12.8px;"><a
                    moz-do-not-send="true"
                    href="http://martinfowler.com/articles/richardsonMaturityModel.html"
                    target="_parent">http://martinfowler.com/articles/richardsonMaturityModel.html</a></span></div>
              <div><span style="font-size: 12.8px;"><br>
                </span></div>
              <div><span style="font-size: 12.8px;">It will make your
                  (and your users) interaction with the API much nicer
                  from a programming perspective.</span></div>
              <div><span style="font-size: 12.8px;"><br>
                </span></div>
              <div><span style="font-size: 12.8px;">Keep up the stellar
                  ZAP work! </span></div>
            </div>
            <div class="gmail_extra"><br clear="all">
              <div>
                <div class="gmail_signature">--<br>
                  -- Matt Tesauro<br>
                  OWASP WTE Project Lead<br>
                  <a moz-do-not-send="true"
                    href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project"
                    target="_parent">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>
                  <a moz-do-not-send="true" href="http://AppSecLive.org"
                    target="_parent">http://AppSecLive.org</a> -
                  Community and Download site
                  <div>OWASP OpenStack Security Project Lead
                    <div><a moz-do-not-send="true"
                        href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project"
                        target="_parent">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>
                  </div>
                </div>
              </div>
              <br>
              <div class="gmail_quote">On Fri, May 29, 2015 at 3:28 AM,
                Eoin Keary <span dir="ltr"><<a
                    moz-do-not-send="true"
                    href="mailto:eoin.keary@owasp.org" target="_parent">eoin.keary@owasp.org</a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin: 0px 0px
                  0px 0.8ex; padding-left: 1ex; border-left-color:
                  rgb(204, 204, 204); border-left-width: 1px;
                  border-left-style: solid;">
                  <div dir="auto">
                    <div>If you use angular the backend can be 100% API
                      based which reduced the work and also open up a
                      rich API for headless mode.<span class="HOEnZb"><font
                          color="#888888"><br>
                          <br>
                          Eoin Keary
                          <div>BCC Risk Advisory - <span
                              style="font-size: 13pt;">edgescan </span><span
                              style="font-size: 13pt;">CTO</span></div>
                          <div><span style="font-size: 13pt;">Gartner
                              "notable vendor" MSSP MQ</span></div>
                          <div><span style="font-size: 13pt;"><br>
                            </span></div>
                          <div><br>
                          </div>
                        </font></span></div>
                    <div>
                      <div class="h5">
                        <div><br>
                          On 29 May 2015, at 08:45, The Black Labrador
                          <<a moz-do-not-send="true"
                            href="mailto:mike.goodwin@owasp.org"
                            target="_parent">mike.goodwin@owasp.org</a>>

                          wrote:<br>
                          <br>
                        </div>
                        <blockquote style="margin-top: 0px;
                          margin-bottom: 0px;">
                          <div>
                            <div>
                              <div style="font-family:
                                Calibri,sans-serif; font-size: 11pt;">Angular

                                2 is a worry. All the signs are that
                                migration from v1 is not going to be a
                                high priority for them. Mobile first,
                                then larger firm factors then
                                migration...maybe.<br>
                                <br>
                                Angular is great, but they will lose a
                                lot of trust and users in my opinion.<br>
                                <br>
                                Mike</div>
                            </div>
                            <div dir="ltr">
                              <hr><span style="font-family:
                                Calibri,sans-serif; font-size: 11pt;
                                font-weight: bold;">From: </span><span
                                style="font-family: Calibri,sans-serif;
                                font-size: 11pt;"><a
                                  moz-do-not-send="true"
                                  href="mailto:dinis.cruz@owasp.org"
                                  target="_parent">Dinis Cruz</a></span><br>
                              <span style="font-family:
                                Calibri,sans-serif; font-size: 11pt;
                                font-weight: bold;">Sent: </span><span
                                style="font-family: Calibri,sans-serif;
                                font-size: 11pt;">‎28/‎05/‎2015 17:17</span><br>
                              <span style="font-family:
                                Calibri,sans-serif; font-size: 11pt;
                                font-weight: bold;">To: </span><span
                                style="font-family: Calibri,sans-serif;
                                font-size: 11pt;"><a
                                  moz-do-not-send="true"
                                  href="mailto:jim.manico@owasp.org"
                                  target="_parent">Jim Manico</a></span><br>
                              <span style="font-family:
                                Calibri,sans-serif; font-size: 11pt;
                                font-weight: bold;">Cc: </span><span
                                style="font-family: Calibri,sans-serif;
                                font-size: 11pt;"><a
                                  moz-do-not-send="true"
                                  href="mailto:owasp-leaders@lists.owasp.org"
                                  target="_parent">owasp-leaders@lists.owasp.org</a></span><br>
                              <span style="font-family:
                                Calibri,sans-serif; font-size: 11pt;
                                font-weight: bold;">Subject: </span><span
                                style="font-family: Calibri,sans-serif;
                                font-size: 11pt;">Re: [Owasp-leaders]
                                ZAP as a Service</span><br>
                              <br>
                            </div>
                            <div dir="ltr">yeah Angular is great (we're
                              using that too), it's a bit weird what is
                              going on with angular 2.0, which opens up
                              the game to other frameworks like React.js
                              <div><br>
                              </div>
                              <div>And from a security point of view, as
                                Jim mentioned Angular has a really good
                                security story</div>
                              <div><br>
                              </div>
                              <div>Dinis</div>
                            </div>
                            <div class="gmail_extra"><br>
                              <div class="gmail_quote">On 28 May 2015 at
                                16:27, Jim Manico <span dir="ltr"><<a
                                    moz-do-not-send="true"
                                    href="mailto:jim.manico@owasp.org"
                                    target="_parent">jim.manico@owasp.org</a>></span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin: 0px 0px 0px 0.8ex;
                                  padding-left: 1ex; border-left-color:
                                  rgb(204, 204, 204); border-left-width:
                                  1px; border-left-style: solid;">
                                  <div> I personally recommend Angular
                                    templates. This is quickly becoming
                                    the defacto-standard for XSS
                                    resistant templating. It's one of
                                    the only popular context-aware
                                    auto-escaping templates, it has a
                                    built-in HTML sanitizer, and it
                                    offers an integrated CSP module.<br>
                                    <br>
                                    If you have a greenfield project
                                    choice - go angular. Just make sure
                                    your developers are using the HTML
                                    sanitizer anytime they disable
                                    escaping for a certain field.<br>
                                    <br>
                                    Aloha,<br>
                                    Jim
                                    <div>
                                      <div><br>
                                        <br>
                                        <br>
                                        <br>
                                        <br>
                                        <div>On 5/28/15 4:38 PM, Dinis
                                          Cruz wrote:<br>
                                        </div>
                                        <blockquote style="margin-top:
                                          0px; margin-bottom: 0px;">
                                          <div dir="ltr">Let me (or
                                            Michael Hidalgo from OWASP
                                            in Costa Rica) know If you
                                            want a NodeJS front-end that
                                            runs with Jade Templates
                                            (with no or minimal
                                            Javascript) 
                                            <div><br>
                                            </div>
                                            <div>That is what we spend
                                              our days coding in :)</div>
                                            <div><br>
                                            </div>
                                            <div>Dinis</div>
                                          </div>
                                          <div class="gmail_extra"><br>
                                            <div class="gmail_quote">On
                                              28 May 2015 at 13:40,
                                              psiinon <span dir="ltr"><<a
                                                  moz-do-not-send="true"
href="mailto:psiinon@gmail.com" target="_parent">psiinon@gmail.com</a>></span>
                                              wrote:<br>
                                              <blockquote
                                                class="gmail_quote"
                                                style="margin: 0px 0px
                                                0px 0.8ex; padding-left:
                                                1ex; border-left-color:
                                                rgb(204, 204, 204);
                                                border-left-width: 1px;
                                                border-left-style:
                                                solid;">
                                                <div dir="ltr">
                                                  <div>
                                                    <div>
                                                      <div>
                                                        <div>We
                                                          certainly dont
                                                          want to
                                                          hand-craft a
                                                          load of JS and
                                                          cope with all
                                                          of the
                                                          different
                                                          browser
                                                          variations ;)<br>
                                                        </div>
                                                        So yes, I expect
                                                        we'll be using a
                                                        JS framework.<br>
                                                      </div>
                                                      I've started
                                                      investigating
                                                      them, but its
                                                      early days - this
                                                      is one we'll
                                                      definitely be
                                                      discussing on the
                                                      ZAP Developer
                                                      Group.<br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    Cheers,<br>
                                                    <br>
                                                  </div>
                                                  Simon<br>
                                                </div>
                                                <div>
                                                  <div>
                                                    <div
                                                      class="gmail_extra"><br>
                                                      <div
                                                        class="gmail_quote">On

                                                        Thu, May 28,
                                                        2015 at 1:36 PM,
                                                        johanna curiel
                                                        curiel <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:johanna.curiel@owasp.org"
                                                          target="_parent">johanna.curiel@owasp.org</a>></span>
                                                        wrote:<br>
                                                        <blockquote
                                                          class="gmail_quote"
                                                          style="margin:
                                                          0px 0px 0px
                                                          0.8ex;
                                                          padding-left:
                                                          1ex;
                                                          border-left-color:
                                                          rgb(204, 204,
                                                          204);
                                                          border-left-width:
                                                          1px;
                                                          border-left-style:
                                                          solid;">
                                                          <div dir="ltr">Hi

                                                          Simon
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>You
                                                          mentioned you
                                                          will use HTML5
                                                          , are you
                                                          planning to
                                                          use this in
                                                          combination
                                                          with any
                                                          JavaScript
                                                          frameworks or
                                                          the use of JSP
                                                          could be
                                                          implemented?</div>
                                                          <div><br>
                                                          </div>
                                                          <div>regards</div>
                                                          <span><font
                                                          color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          </font></span></div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">
                                                          <div>
                                                          <div>On Thu,
                                                          May 28, 2015
                                                          at 7:23 AM,
                                                          psiinon <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:psiinon@gmail.com" target="_parent">psiinon@gmail.com</a>></span>
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:
                                                          0px 0px 0px
                                                          0.8ex;
                                                          padding-left:
                                                          1ex;
                                                          border-left-color:
                                                          rgb(204, 204,
                                                          204);
                                                          border-left-width:
                                                          1px;
                                                          border-left-style:
                                                          solid;">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>Leaders,<br>
                                                          </div>
                                                          <div><br>
                                                          Last week at
                                                          Amsterdam I
                                                          announced a
                                                          new direction
                                                          for ZAP - ZAP
                                                          as a Service
                                                          (ZaaS).<br>
                                                          </div>
                                                          I've just
                                                          published a
                                                          blog post
                                                          which gives a
                                                          few more
                                                          details: <a
                                                          moz-do-not-send="true"
href="http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html"
                                                          target="_parent">http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html</a><br>
                                                          <br>
                                                          </div>
                                                          <div>I think
                                                          this is a
                                                          major
                                                          development
                                                          for ZAP, which
                                                          is why I've
                                                          posted to this
                                                          list ;)<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          Cheers,<br>
                                                          <br>
                                                          </div>
                                                          Simon<span><font
color="#888888"><br clear="all">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          -- <br>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_parent">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <span>_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                          target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          <br>
                                                          </span></blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                        </blockquote>
                                                      </div>
                                                      <br>
                                                      <br clear="all">
                                                      <br>
                                                      -- <br>
                                                      <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/index.php/ZAP" target="_parent">OWASP ZAP</a>
                                                        Project leader<br>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </div>
                                                <br>
_______________________________________________<br>
                                                OWASP-Leaders mailing
                                                list<br>
                                                <a
                                                  moz-do-not-send="true"
href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                                <a
                                                  moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                                  target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                <br>
                                              </blockquote>
                                            </div>
                                            <br>
                                          </div>
                                          <br>
                                          <fieldset></fieldset>
                                          <br>
                                          <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                        </blockquote>
                                        <br>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                              </div>
                              <br>
                            </div>
                          </div>
                        </blockquote>
                        <blockquote style="margin-top: 0px;
                          margin-bottom: 0px;">
                          <div><span>_______________________________________________</span><br>
                            <span>OWASP-Leaders mailing list</span><br>
                            <span><a moz-do-not-send="true"
                                href="mailto:OWASP-Leaders@lists.owasp.org"
                                target="_parent">OWASP-Leaders@lists.owasp.org</a></span><br>
                            <span><a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                          </div>
                        </blockquote>
                      </div>
                    </div>
                  </div>
                  <br>
                  _______________________________________________<br>
                  OWASP-Leaders mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:OWASP-Leaders@lists.owasp.org"
                    target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                  <a moz-do-not-send="true"
                    href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                    target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                  <br>
                </blockquote>
              </div>
              <br>
            </div>
            <br>
            <fieldset class="mimeAttachmentHeader"></fieldset>
            <br>
            <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
          </blockquote>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>