Menu
▾
▴
owasp-input-api-developers
|
From: Alex R. <al...@se...> - 2002-06-18 20:20:00
|
outline follows sig. -- Alex Russell al...@Se... al...@ne... -- INTRODUCTION: ------------------------------------------------------------------------------ On June 17th, the development team from the Open Web Appliation Security Project (OWASP) filters project met to discuss the goals of the project and to lay out general design principles that will be followed in the course of their development effort. What follows is a summary of the primary points of agreement that resulted from this meeting. Those who attended the meeting were: Nathan Groupp, ve...@pa... Gabriel Lawrence, ga...@bu... Alex Russell, al...@Se..., al...@ne... Matt Wirges, wi...@ce... Nik Cubrilovic, ni...@ni... PROJECT GOALS: ------------------------------------------------------------------------------ The chief goal of the OWASP filters project will be to develop a set of "drop in" functions/objects/methods that provide web application developers with a powerful and effective way of managing inputs to their applications. These filters will be designed in such a way as to minimize the ammount of syntax needed to filter content for a range of possible malicious inputs. PROBLEM STATEMENT: ------------------------------------------------------------------------------ The current state of web application security (in the large) is a pathetic mess, in some cases even moreso than that of traditional applications. Few web application developers are familiar with even basic security design principles and even fewer understand the options available to them with regards to securing their applications. While structural solutions to the large security problems facing web applications are strongly preferred, we reckognize the need for tools that will allow developers harden their applications with a minimum of effort and security-domain knowledge. Through use of our tools, developers should become educated about the issues involved with input validation to their applications, and it is our hope that they will also make use of the other tools and document that OWASP produces in their efforts to improve security. Yet we are also realistic. We understand that the path of least resistance is that which lazy developers will follow, and security tools must be presented in a way that decrease resistance to their adoptance. The OWASP Filters Team accepts this challenge and is comitted to providing simple yet powerful tools for developers that enhance security. DESIGN GOALS: ------------------------------------------------------------------------------ Filters MUST be developed in many languages to allow end developers to use a similar framework for filtering input regardless of their development environment. Language specific idioms for sanity checking MAY be supported where they make sense, but never at the expense of simplicity. The default policy for filter rules MUST be "reject all not explicitly allowed", forcing developers to consider what they want to allow instead of attempting to cover all corner cases for input that may be malicious. Filtering will be addressed in 3 discrete steps: 1.) canonicalization 2.) threat specific filtering 3.) output specific filtering Note that each of these steps SHOULD be addressed both on inforamtion inbound to the system from external sources and for information originating from internal sources destined for output to end users. 1.) Canonicalization Canonicalization is the process of putting data into a common format. This step is critical to the effectiveness of input filtering, as it guards against entire classes of attacks that make use of charachter set conversion to bypass attempts at intput filtering. While multiple charachter sets SHOULD be supported, a sane default SHOULD be assumed (UTF-8 restricted?). 2.) Threat Specific Filtering A default "reject" rule MUST be in place for input passed to OWASP filters, however users MAY be given the ability to specifically allow types of input that my in some contexts be harmful. Examples of these types of input may be HTML, JavaScript, SQL, etc... There are instances where a developer may wish to allow punctuation that may have syntactic significance, and so an interface MAY be exposed to allow developers to explicitly define such syntax exceptions. Language specific filtering capability SHOULD be available to deal with threats such as interpreted command insertion. Where possible the OWASP filters team will discourage use of eval() type functions on the part of developers, yet should realize that the job of a filter can only cover so much ground. Protecting developers from misuse of system and language features is better dealt with via a source code scanner. 3.) Output Specific Filtering Output formats MAY have special formatting considerations, and the filters API MAY choose to provide simple methods for converting to "storage safe" escaped versions of content (and back again). CONCLUSION: ------------------------------------------------------------------------------ This is only a draft of this document and MAY be subject to change as the reqiurements of the project become more clearly defined and iterative development and developer feedback more tightly define the scope of the problem. |
|
From: vertigo <ve...@pa...> - 2002-06-18 20:54:51
|
I disagree completely with the "drop in functions" descriptions. Nathan On Tue, 18 Jun 2002, Alex Russell wrote: > outline follows sig. > -- > Alex Russell > al...@Se... > al...@ne... > > -- > INTRODUCTION: > ------------------------------------------------------------------------------ > > On June 17th, the development team from the Open Web Appliation Security > Project (OWASP) filters project met to discuss the goals of the project and > to > lay out general design principles that will be followed in the course of > their > development effort. What follows is a summary of the primary points of > agreement that resulted from this meeting. > > Those who attended the meeting were: > Nathan Groupp, ve...@pa... > Gabriel Lawrence, ga...@bu... > Alex Russell, al...@Se..., al...@ne... > Matt Wirges, wi...@ce... > Nik Cubrilovic, ni...@ni... > > PROJECT GOALS: > ------------------------------------------------------------------------------ > > The chief goal of the OWASP filters project will be to develop a set of > "drop > in" functions/objects/methods that provide web application developers with a > powerful and effective way of managing inputs to their applications. These > filters will be designed in such a way as to minimize the ammount of syntax > needed to filter content for a range of possible malicious inputs. > > PROBLEM STATEMENT: > ------------------------------------------------------------------------------ > > The current state of web application security (in the large) is a pathetic > mess, in some cases even moreso than that of traditional applications. Few > web > application developers are familiar with even basic security design > principles > and even fewer understand the options available to them with regards to > securing their applications. While structural solutions to the large > security > problems facing web applications are strongly preferred, we reckognize the > need for tools that will allow developers harden their applications with a > minimum of effort and security-domain knowledge. > > Through use of our tools, developers should become educated about the issues > involved with input validation to their applications, and it is our hope > that > they will also make use of the other tools and document that OWASP produces > in > their efforts to improve security. Yet we are also realistic. We understand > that the path of least resistance is that which lazy developers will follow, > and security tools must be presented in a way that decrease resistance to > their adoptance. The OWASP Filters Team accepts this challenge and is > comitted > to providing simple yet powerful tools for developers that enhance security. > > DESIGN GOALS: > ------------------------------------------------------------------------------ > > Filters MUST be developed in many languages to allow end developers to use a > similar framework for filtering input regardless of their development > environment. Language specific idioms for sanity checking MAY be supported > where they make sense, but never at the expense of simplicity. > > The default policy for filter rules MUST be "reject all not explicitly > allowed", forcing developers to consider what they want to allow instead of > attempting to cover all corner cases for input that may be malicious. > > Filtering will be addressed in 3 discrete steps: > > 1.) canonicalization > 2.) threat specific filtering > 3.) output specific filtering > > Note that each of these steps SHOULD be addressed both on inforamtion > inbound > to the system from external sources and for information originating from > internal sources destined for output to end users. > > > 1.) Canonicalization > > Canonicalization is the process of putting data into a common format. > This step is critical to the effectiveness of input filtering, as it > guards against entire classes of attacks that make use of charachter > set conversion to bypass attempts at intput filtering. While multiple > charachter sets SHOULD be supported, a sane default SHOULD be assumed > (UTF-8 restricted?). > > 2.) Threat Specific Filtering > > A default "reject" rule MUST be in place for input passed to OWASP > filters, however users MAY be given the ability to specifically > allow types of input that my in some contexts be harmful. Examples of > these types of input may be HTML, JavaScript, SQL, etc... > > There are instances where a developer may wish to allow punctuation > that may have syntactic significance, and so an interface MAY be > exposed to allow developers to explicitly define such syntax > exceptions. > > Language specific filtering capability SHOULD be available to deal > with threats such as interpreted command insertion. Where possible the > OWASP filters team will discourage use of eval() type functions on > the part of developers, yet should realize that the job of a filter > can only cover so much ground. Protecting developers from misuse of > system and language features is better dealt with via a source code > scanner. > > 3.) Output Specific Filtering > > Output formats MAY have special formatting considerations, and the > filters API MAY choose to provide simple methods for converting to > "storage safe" escaped versions of content (and back again). > > > CONCLUSION: > ------------------------------------------------------------------------------ > > This is only a draft of this document and MAY be subject to change as the > reqiurements of the project become more clearly defined and iterative > development and developer feedback more tightly define the scope of the > problem. > > ---------------------------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: vertigo <ve...@pa...> - 2002-06-18 21:10:27
|
I think this should be rewritten. I find the language harsh, stereotyping, and needs to be run through a spell-checker. (BTW, neither "moreso," nor "reckognize" are words in the English language.) I think the part about educating the user is flat-out incorrect. Education is beyond the scope of this project. The OWASP project as a whole is trying to do that, not this API. Data-type validation is not even mentioned. This is, overall, an inaccurate description of the project. Nathan On Tue, 18 Jun 2002, Alex Russell wrote: > outline follows sig. > -- > Alex Russell > al...@Se... > al...@ne... > > -- > INTRODUCTION: > ------------------------------------------------------------------------------ > > On June 17th, the development team from the Open Web Appliation Security > Project (OWASP) filters project met to discuss the goals of the project and > to > lay out general design principles that will be followed in the course of > their > development effort. What follows is a summary of the primary points of > agreement that resulted from this meeting. > > Those who attended the meeting were: > Nathan Groupp, ve...@pa... > Gabriel Lawrence, ga...@bu... > Alex Russell, al...@Se..., al...@ne... > Matt Wirges, wi...@ce... > Nik Cubrilovic, ni...@ni... > > PROJECT GOALS: > ------------------------------------------------------------------------------ > > The chief goal of the OWASP filters project will be to develop a set of > "drop > in" functions/objects/methods that provide web application developers with a > powerful and effective way of managing inputs to their applications. These > filters will be designed in such a way as to minimize the ammount of syntax > needed to filter content for a range of possible malicious inputs. > > PROBLEM STATEMENT: > ------------------------------------------------------------------------------ > > The current state of web application security (in the large) is a pathetic > mess, in some cases even moreso than that of traditional applications. Few > web > application developers are familiar with even basic security design > principles > and even fewer understand the options available to them with regards to > securing their applications. While structural solutions to the large > security > problems facing web applications are strongly preferred, we reckognize the > need for tools that will allow developers harden their applications with a > minimum of effort and security-domain knowledge. > > Through use of our tools, developers should become educated about the issues > involved with input validation to their applications, and it is our hope > that > they will also make use of the other tools and document that OWASP produces > in > their efforts to improve security. Yet we are also realistic. We understand > that the path of least resistance is that which lazy developers will follow, > and security tools must be presented in a way that decrease resistance to > their adoptance. The OWASP Filters Team accepts this challenge and is > comitted > to providing simple yet powerful tools for developers that enhance security. > > DESIGN GOALS: > ------------------------------------------------------------------------------ > > Filters MUST be developed in many languages to allow end developers to use a > similar framework for filtering input regardless of their development > environment. Language specific idioms for sanity checking MAY be supported > where they make sense, but never at the expense of simplicity. > > The default policy for filter rules MUST be "reject all not explicitly > allowed", forcing developers to consider what they want to allow instead of > attempting to cover all corner cases for input that may be malicious. > > Filtering will be addressed in 3 discrete steps: > > 1.) canonicalization > 2.) threat specific filtering > 3.) output specific filtering > > Note that each of these steps SHOULD be addressed both on inforamtion > inbound > to the system from external sources and for information originating from > internal sources destined for output to end users. > > > 1.) Canonicalization > > Canonicalization is the process of putting data into a common format. > This step is critical to the effectiveness of input filtering, as it > guards against entire classes of attacks that make use of charachter > set conversion to bypass attempts at intput filtering. While multiple > charachter sets SHOULD be supported, a sane default SHOULD be assumed > (UTF-8 restricted?). > > 2.) Threat Specific Filtering > > A default "reject" rule MUST be in place for input passed to OWASP > filters, however users MAY be given the ability to specifically > allow types of input that my in some contexts be harmful. Examples of > these types of input may be HTML, JavaScript, SQL, etc... > > There are instances where a developer may wish to allow punctuation > that may have syntactic significance, and so an interface MAY be > exposed to allow developers to explicitly define such syntax > exceptions. > > Language specific filtering capability SHOULD be available to deal > with threats such as interpreted command insertion. Where possible the > OWASP filters team will discourage use of eval() type functions on > the part of developers, yet should realize that the job of a filter > can only cover so much ground. Protecting developers from misuse of > system and language features is better dealt with via a source code > scanner. > > 3.) Output Specific Filtering > > Output formats MAY have special formatting considerations, and the > filters API MAY choose to provide simple methods for converting to > "storage safe" escaped versions of content (and back again). > > > CONCLUSION: > ------------------------------------------------------------------------------ > > This is only a draft of this document and MAY be subject to change as the > reqiurements of the project become more clearly defined and iterative > development and developer feedback more tightly define the scope of the > problem. > > ---------------------------------------------------------------------------- > Bringing you mounds of caffeinated joy > >>> http://thinkgeek.com/sf <<< > > _______________________________________________ > Owasp-input-api-developers mailing list > Owa...@li... > https://lists.sourceforge.net/lists/listinfo/owasp-input-api-developers > |
|
From: Alex R. <al...@se...> - 2002-06-18 21:39:17
|
On Tuesday 18 June 2002 04:10 pm, vertigo wrote: > I think this should be rewritten. I find the language harsh, > stereotyping, and needs to be run through a spell-checker. > (BTW, neither "moreso," nor "reckognize" are words in the English > language.) um, I'm pretty sure the word "draft" appears on there at least once...no, I cant spell (or type, apparently), but I figured we should at least get it out for discussion before picking every nit. I'll send out a spell checked version ASAP. > I think the part about educating the user is flat-out > incorrect. Education is beyond the scope of this project. then we fail our target audience by not providing them with the biggest tool in improving security: an understanding of the problems at hand. > The OWASP project as a whole is trying to do that, not this API. yes, and we should use those tools as part of our effort. No, we can't make the developer read, but we can provide good docs that address the issues up front and provide links etc to help them understand them. Half the value of good security tools is that they inform while they lock things down, and we should aspire to that. Security tools that we don't understand are mostly useless since they'll get missapplied and missunderstood as silver bullets. As a security engineer, I humbly suggest we not go down that road. > Data-type validation is not even mentioned. For good reason, it's not relevant in the macroscopic sense. Note the section about "language specific idioms". data-type validation qualifies as a language specific idiom. We also agreed that casting was the application developers problem (not that we shouldn't educate them about it). > This is, overall, an inaccurate description of the project. Well, that's for the consensus to decide. Feel free to jump in guys. PS, please trim replies. -- Alex Russell al...@Se... al...@ne... |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X