[WEB SECURITY] XSS cheat sheet for developers

Jim Manico jim at manico.net
Wed Feb 27 11:55:15 EST 2013


Jon,

My opinion is that the work Romain is doing on XSS defense (including
their XSS cheat sheet and CSL library) is work that is clearly raising
the bar in terms of a Java based XSS encoder and XSS defense in general.

I would love to work with you to integrate some of this work in the
various OWASP resources and projects.

I'm also very willing to re-write a large portion of the XSS Prevention
Cheat Sheet with you in an effort to make it more vendor neutral. I
think your critique about the current XSS Prevention Cheatsheet at OWASP
is "right on".

Aloha Jon and Romain,
Jim

> Constructive criticism is always appreciated.
>
> * CSL is released under a BSD license and is open source. Feel free to incorporate whatever makes sense for ESAPI.
> * CSL solved an immediate need for Coverity that wasn't solved by existing projects.
>
> I dunno why the Internet rage machine is pointed at CSL today. I think the community is better served if we can move the discussion back to constructive criticisms, quantified results, and actionable feedback instead of snide comments. Alas, it's a free world so carry on as you see fit.
>
> Regards,
>
> Jon
>
> p.s. Happy to move this discussion into meat space too. I think a lot of us are in SF for RSA. Happy to keep it to email too.
>
> On Feb 27, 2013, at 8:13 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:
>
>> At least you admit you're promoting something of your own (i.e. CSL) by
>> keeping it separate instead of helping OWASP T10 promote their agenda
>> (ex: ESAPI).
>>
>> Nice research.
>>
>> Sincerely,
>> Eric Sheridan
>> (twitter) @eric_sheridan
>> (blog) http://ericsheridan.blogspot.com
>>
>> On 2/27/13 10:45 AM, romain wrote:
>>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>>>
>>> Concerning the CSS string escaper we did some testing, but not on super
>>> old browsers actually. However, we looked at the how CSS parsers are
>>> recovering from errors, and what characters need to be escaped. That's
>>> mostly why our CSS string escaper will escape new lines chars and more.
>>> Still, we have some more work to do; CSS parsers are a real pain.
>>>
>>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>>> about. However, the OWASP document is first of all promoting ESAPI when
>>> we are sorta promoting our lib. We are also talking about HTML contexts
>>> at a more fine grain level and it's difficult to put this in OWASP
>>> framework.
>>> The OWASP cheat sheet format doesn't also play well with what we wanted
>>> to do. They are driven by few rules for preventing XSS, we're more about
>>> code example.
>>>
>>> Romain
>>> - @rgaucher
>>>
>>>
>>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>>> <mailto:erlend at oftedal.no>> wrote:
>>>
>>>    Hard to tell really as your website blocks IE10 thinking it's IE6
>>>    (not optimizing for old browsers is ok, but blocking is an
>>>    antipattern - especially when it's wrong).
>>>
>>>    Joke aside, the document itself seems decent. It's easy to get an
>>>    overview over the context. Did you test your CSS escaping in older
>>>    browsers? I seem to remember there were some problems, and that
>>>    escaping itself was not enough.
>>>
>>>    Also, why build your own cheat sheet instead of contributing to the
>>>    established free and open OWASP XSS Prevention Cheat Sheet?
>>>
>>>    Best regards,
>>>    Erlend Oftedal
>>>
>>>
>>>    On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>>>    <mailto:r at fuckthespam.com>> wrote:
>>>
>>>        Everybody,
>>>        We release an XSS cheat sheet for developers today. The document
>>>        talks about several contexts (13 combinations right now, but
>>>        we'll be improving it).
>>>        Some more info are available on Coverity blog:
>>>          https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>>>
>>>        Our goal is to keep improving this cheat sheet while adding
>>>        escapers and sanitizers to our library:
>>>          https://github.com/coverity/coverity-security-library
>>>
>>>        Cheers,
>>>        Romain
>>>
>>>
>>>        _______________________________________________
>>>        The Web Security Mailing List
>>>
>>>        WebSecurity RSS Feed
>>>        http://www.webappsec.org/rss/websecurity.rss
>>>
>>>        Join WASC on LinkedIn
>>>        http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>>        WASC on Twitter
>>>        http://twitter.com/wascupdates
>>>
>>>        websecurity at lists.webappsec.org
>>>        <mailto:websecurity at lists.webappsec.org>
>>>        http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list