[Owasp-singapore] [Fwd: Re: [Owasp-leaders] Generating Passwords Hopw]

Wong Onn Chee ocwong at usa.net
Thu Jan 22 02:22:58 EST 2009


FYI, for those who work with Java apps.


-------- Original Message --------
Subject: 	Re: [Owasp-leaders] Generating Passwords Hopw
Date: 	Wed, 21 Jan 2009 21:28:31 -0500
From: 	Jeff Williams <jeff.williams at owasp.org>
Reply-To: 	jeff.williams at owasp.org, owasp-leaders at lists.owasp.org
Organization: 	The OWASP Foundation
To: 	<owasp-leaders at lists.owasp.org>
References:
<9435918C2BB545D682A988A39DEAEE33 at GCGNA.DYN.NSROOT.NET><4970EB63.8040504 at dawes.za.net><1789ACE8C61B4E8DB4164B735292D677 at GCGNA.DYN.NSROOT.NET><193C2C0486582D4B9917A217C4DA91E06BFB43 at AD1HFDEXC307.ad1.prod>
<B9A412898630124ABE8350F4EBD32E84D6C283 at mymail.aspectsecurity.com>
<193C2C0486582D4B9917A217C4DA91E06BFE01 at AD1HFDEXC307.ad1.prod>
<B1A498E9-DE9A-414E-B2B3-6E3420C4C54D at twisteddelight.org>



Hi Stephen,

I'm pretty surprised by your response. The Servlet spec is a framework of
sorts actually. I think figuring out what level(s) to focus on is a good
discussion for the leaders list. The details below we can take to the Java
list if you want to go into more detail there.

Here are the items I've been working  on. Let me know if you think these
should be in Servlet or in a framework.

1) Disallow CR and LF in all HTTP headers. This will stop all
response-splitting/tunneling and file download injection attacks.

2) Disallow unlisted http-methods in security-constraints. This prevents the
bypass of authentication and access control by using verbs like HEAD, JEFF,
etc...

3) Provide support for a cross-site request forgery (CSRF) token. Would
require a token for any pages with a security-constraint in web.xml.

4) Enable HttpOnly flag on JSESSIONID. To prevent one bad consequence of
XSS.

5) Add a security note to 7.1.3 URL Rewriting. Originally I wanted this
removed, but they said no way. This method puts ;jessionid=9823429347 on the
URL.

6) Encoding/escaping support. To make it easy to properly escape data for
the appropriate HTML context.

--Jeff


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Stephen de Vries
Sent: Wednesday, January 21, 2009 10:33 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Generating Passwords Hopw


I think trying to get web security issues addressed in the servlet  
spec is aiming at too low a level.  You might have better luck with  
web frameworks projects instead.  Similarly with Ruby, the language  
itself is too low level, but getting security features added to the  
Rails framework might be more feasible.


On Jan 21, 2009, at 3:58 PM, McGovern, James F (HTSC, IT) wrote:

> Is there merit in doing the same type of activity with the Ruby
> community?
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jeff
> Williams
> Sent: Tuesday, January 20, 2009 11:39 PM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Generating Passwords Hopw
>
> Hi,
>
> I have been working with Sun and the rest of the Servlet team to get
> some better security into the Java Servlet 3.0 specification for the
> last year or so. While it has been interesting and somewhat  
> productive,
> it is *extremely* difficult to get them to acknowledge the idea that
> their APIs need to change for security. I heard every excuse you can
> think of (compatibility, performance, usability, complexity, insanity,
> etc...). Anyway, while I think the goal is good, I'm not optimistic
> about the prospects for just "providing feedback."  I'm leaning  
> towards
> the ESAPI approach of providing safe wrappers or replacements for  
> unsafe
> methods.
>
> --Jeff
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders






More information about the Owasp-singapore mailing list