Menu
▾
▴
owasp-input-api-developers — Developers for OWASP Input API's
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(1) |
Apr
(26) |
May
|
Jun
(57) |
Jul
(22) |
Aug
(50) |
Sep
(14) |
Oct
(9) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Christopher T. <ch...@ch...> - 2002-04-03 04:18:28
|
Steve, Well, I guess that would be a reasonable question for debate. Are we trying to help people write more secure web applications, or are we trying to help make web applications more secure? There is a subtle difference that gets back to the difference between declarative vs. programmatic security. From one perspective, it doesn't matter which approach you take, so long as the result is a more secure web application. And as mentioned in my previous post, there are advantages and disadvantages to each approach. For the purposes of the Input Filters API project, it seems obvious that implementing an API for each language will be the easiest and quickest way to produce something useful to the community, so long as we can agree on an interface that will be common across all the languages (or at least as common as the syntaxes of the languages will allow). For example, once we've decided that the methods public String removeParentheses(String input) public String removeSemicolons(String input) public String sanitizeInput(String input, Regex exclusionPattern) (to put up a few hypothetical examples in Java syntax) are methods we need in the API, then it is up to the individual language implementors to figure out how to implement them. That can be done pretty quickly. Implementing web server plugins obviously is a much more complicated task. However, I would point out that the beautiful thing about a webserver plugin is that it intercepts HTTP requests before the webapp engine sees them, and the webapp engine is none the wiser - it just knows that it has received an HTTP request, along with headers and maybe GET or POST data, that it needs to process. If those headers or that GET or POST data has already been sanitized by a webserver plugin, what does the webapp engine care? Unless, of course, the sanitizing process completely mangles the user input... :-) (Potential gotcha there - need to figure out how to handle that). I would point out that for servlet containers that are compliant with the Servlet 2.3 spec, the new javax.servlet.Filter interface is a perfect mechanism for implementing a servlet container-independent "plugin" that can be used declaratively. In the 2.3 spec, a Filter is configured to intercept HTTP requests destined for servlets, JSPs, or even static HTML content, and can take any of a number of actions, including modifying the original request, redirecting the request to a different destination, etc. When the filter is done with its work, it passes the ServletRequest and ServletResponse objects on to the next Filter in the filter chain (more than one Filter can protect a given resource, and a given Filter can protect several resources), or if it is the last Filter in the chain, it passes them on to the target servlet or JSP. Sorry for the ramble, but I'm a servlet geek, and I've been thinking about how to use the new Filter interface to provide authentication checks for a webapp I'm currently building. :-) So to summarize, basically I agree with you, but in the long term, I think we should at least consider the potential usefulness of creating web server plugins. Regards, Chris -----Original Message----- From: Steven J. Sobol [mailto:sj...@Ju...] Sent: Tuesday, April 02, 2002 9:48 PM To: Christopher Todd Cc: owa...@li... Subject: RE: [Owasp-input-api-developers] Status? On Tue, 2 Apr 2002, Christopher Todd wrote: > Has there been any discussion of writing an Apache module (for the webserver > plugin approach)? That would cover a lot of web app engine ground, > including PHP, PERL, ChiliASP, and even Java (with JServ/Tomcat apache > plugins). I'm not sure how we'd manage that. With a $LANGUAGE plugin or module you can use $LANGUAGE-specific functions to manipulate data. With an Apache API/NSAPI/ISAPI server module you'd have to do everything before the scripting engine - whether it be PHP, JSP, ASP or anything else - would have a chance to touch the data, and it would allow MUCH less flexibility. My vision for this project is that we want to empower people to write more secure web applications. I don't think a server module is the best way to do that. I know it'll be more work, but my opinion is that the best thing to do is to create modules for the most popular scripting platforms. Just my $0.02... -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 |
|
From: Steven J. S. <sj...@Ju...> - 2002-04-03 02:48:05
|
On Tue, 2 Apr 2002, Christopher Todd wrote: > Has there been any discussion of writing an Apache module (for the webserver > plugin approach)? That would cover a lot of web app engine ground, > including PHP, PERL, ChiliASP, and even Java (with JServ/Tomcat apache > plugins). I'm not sure how we'd manage that. With a $LANGUAGE plugin or module you can use $LANGUAGE-specific functions to manipulate data. With an Apache API/NSAPI/ISAPI server module you'd have to do everything before the scripting engine - whether it be PHP, JSP, ASP or anything else - would have a chance to touch the data, and it would allow MUCH less flexibility. My vision for this project is that we want to empower people to write more secure web applications. I don't think a server module is the best way to do that. I know it'll be more work, but my opinion is that the best thing to do is to create modules for the most popular scripting platforms. Just my $0.02... -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 |
|
From: Christopher T. <ch...@ch...> - 2002-04-02 23:19:41
|
Has there been any discussion of writing an Apache module (for the webserver plugin approach)? That would cover a lot of web app engine ground, including PHP, PERL, ChiliASP, and even Java (with JServ/Tomcat apache plugins). Regards, Chris -----Original Message----- From: owa...@li... [mailto:owa...@li...]On Behalf Of Steven J. Sobol Sent: Tuesday, April 02, 2002 12:01 PM To: Nik Cubrilovic Cc: owa...@li... Subject: Re: [Owasp-input-api-developers] Status? On Wed, 3 Apr 2002, Nik Cubrilovic wrote: > > ditto. > > anybody else here looking at PHP/ASP specific implementations of this > project? PHP is the reason I signed on. I can also do ASP. But ASP programming is just something that pays the bills for me. PHP programming is my passion. :) (And it pays some of the bills too.) I was also considering doing server-side extensions. That'd mean a Zend/PHP module for PHP4, and probably an ActiveX control for ASP (at least on Wintendo; I imagine ChiliASP on Linux and Solaris have no way to use ActiveX.) -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 _______________________________________________ Owasp-input-api-developers mailing list Owa...@li... https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers |
|
From: Nik C. <ni...@ni...> - 2002-04-02 17:25:28
|
yes, I was thinking a module as an addition to Zend/PHP: http://www.php.net/manual/en/zend.php and an ISAPI object on Windows for IIS with the same functionality: http://www.15seconds.com/issue/010104.htm so once there is an outline, we can then go ahead and code ASP/PHP "ports" (both would have to be written in C). Perhaps there are other options for IIS other than an ISAPI filter (ActiveX control written in VB then registered on the server). -Nik On Tue, 2 Apr 2002, Steven J. Sobol wrote: > > PHP is the reason I signed on. I can also do ASP. But ASP programming > is just something that pays the bills for me. PHP programming is my > passion. :) (And it pays some of the bills too.) > > I was also considering doing server-side extensions. That'd mean > a Zend/PHP module for PHP4, and probably an ActiveX control for ASP (at > least on Wintendo; I imagine ChiliASP on Linux and Solaris have no way > to use ActiveX.) > > -- > Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) > JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net > Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 > > |
|
From: Steven J. S. <sj...@Ju...> - 2002-04-02 17:01:15
|
On Wed, 3 Apr 2002, Nik Cubrilovic wrote: > > ditto. > > anybody else here looking at PHP/ASP specific implementations of this > project? PHP is the reason I signed on. I can also do ASP. But ASP programming is just something that pays the bills for me. PHP programming is my passion. :) (And it pays some of the bills too.) I was also considering doing server-side extensions. That'd mean a Zend/PHP module for PHP4, and probably an ActiveX control for ASP (at least on Wintendo; I imagine ChiliASP on Linux and Solaris have no way to use ActiveX.) -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net Need a programmer? Resume going up at http://sourceforge.net/users/webdude216 |
|
From: <Chr...@ey...> - 2002-04-02 16:03:54
|
Nathan,
No problem. Have there been off-line discussions? I noticed some files
have been put into CVS, but they're all zero length, and I wasn't sure
what that meant. Basically, I have some ideas I'd like to share with the
group, but I wanted to know to what extent anything had been "decided"
already.
Sincerest Regards,
Chris Todd
Ernst & Young LLP
Security and Technology Solutions (STS)
chr...@ey...
vertigo <ve...@pa...>
Sent by: owa...@li...
04/02/2002 08:43 AM
To: Christopher Todd <ch...@ch...>
cc: owa...@li...
Subject: Re: [Owasp-input-api-developers] Status?
You're our first post. I apologize for the delay. Not all of the
developers have subscribed yet so there hasn't been much traffic.
Nathan
On Thu, 28 Mar 2002, Christopher Todd wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello everyone,
>
> Just wanted to find out the about current status of the input filters
> project. I'm interested in contributing, though I need to confirm
> with my employer first that they don't have a problem with that
> (confidentiality agreement stuff).
>
> Regards,
> Chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPKPS1g1yj8e2/NpyEQILsACeJ4M6WImSS4RYSdB0QP6G0o4PgZUAoLpX
> dDRqI9MDjeg88Q1JbTIaeJfa
> =VTvS
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Owasp-input-api-developers mailing list
> Owa...@li...
> https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers
>
_______________________________________________
Owasp-input-api-developers mailing list
Owa...@li...
https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
|
|
From: Nik C. <ni...@ni...> - 2002-04-02 15:44:15
|
ditto. anybody else here looking at PHP/ASP specific implementations of this project? Most of the discussion up until now has been Perl and Java specific. It would also be nice to have generic filters on user posted data so that existing sites do not need to code anything to have the filters working (perhaps prepending an include.php in the apache setup that will look at all passed variables for each script on the site). -Nik On Tue, 2 Apr 2002, Steve Sobol wrote: > At 08:43 AM 4/2/02 -0500, you wrote: > >You're our first post. I apologize for the delay. Not all of the > >developers have subscribed yet so there hasn't been much traffic. > > Ping. > > I'm here. > > > -- > Steve Sobol, Proud Native of the Great Frozen City of Cleveland, Ohio > http://www.Cleveland.OH.US/ http://www.TravelCleveland.com/ > http://www.LakeCountyOhio.org/ (Where the Snow is Cold but our Hearts Aren't!) > CTO, JustThe.net LLC, Mentor On The Lake, Lake County, OH http://JustThe.net/ > |
|
From: Steve S. <sj...@Ju...> - 2002-04-02 15:18:28
|
At 08:43 AM 4/2/02 -0500, you wrote: >You're our first post. I apologize for the delay. Not all of the >developers have subscribed yet so there hasn't been much traffic. Ping. I'm here. -- Steve Sobol, Proud Native of the Great Frozen City of Cleveland, Ohio http://www.Cleveland.OH.US/ http://www.TravelCleveland.com/ http://www.LakeCountyOhio.org/ (Where the Snow is Cold but our Hearts Aren't!) CTO, JustThe.net LLC, Mentor On The Lake, Lake County, OH http://JustThe.net/ |
|
From: vertigo <ve...@pa...> - 2002-04-02 13:43:54
|
You're our first post. I apologize for the delay. Not all of the developers have subscribed yet so there hasn't been much traffic. Nathan On Thu, 28 Mar 2002, Christopher Todd wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello everyone, > > Just wanted to find out the about current status of the input filters > project. I'm interested in contributing, though I need to confirm > with my employer first that they don't have a problem with that > (confidentiality agreement stuff). > > Regards, > Chris > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPKPS1g1yj8e2/NpyEQILsACeJ4M6WImSS4RYSdB0QP6G0o4PgZUAoLpX > dDRqI9MDjeg88Q1JbTIaeJfa > =VTvS > -----END PGP SIGNATURE----- > > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: Christopher T. <ch...@ch...> - 2002-03-29 02:40:20
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, Just wanted to find out the about current status of the input filters project. I'm interested in contributing, though I need to confirm with my employer first that they don't have a problem with that (confidentiality agreement stuff). Regards, Chris -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPKPS1g1yj8e2/NpyEQILsACeJ4M6WImSS4RYSdB0QP6G0o4PgZUAoLpX dDRqI9MDjeg88Q1JbTIaeJfa =VTvS -----END PGP SIGNATURE----- |
1 message has been excluded from this view by a project administrator.
