OWASP - User contributions [en]

Source Code Analysis Tools

2013-10-30T16:30:22Z

David Lindsay: Corrected name/link for Coverity's static analysis tool

Source Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

==Strengths and Weaknesses of such tools==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.
* Output is good for developers - it highlights the precise source files and line numbers that are affected

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.

* Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]

==Open Source or Free Tools Of This Type==

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including some security flaws) in Java Programs
* [http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx FxCop] (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html RATS] (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
* [https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project] - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
* [http://sourceforge.net/projects/visualcodegrepp/ VCG] - Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools from OWASP Members Of This Type==

These vendors have decided to support OWASP by becoming [[Membership|members]]. OWASP appreciates the support from these organizations, but cannot endorse any commercial products or services.

* [http://www-01.ibm.com/software/rational/products/appscan/source/ IBM Security AppScan Source Edition] (formerly Ounce)
* [http://www.armorize.com/codesecure/ Static Source Code Analysis with CodeSecure™] (Armorize Technologies)
* [http://www.checkmarx.com/technology/static-code-analysis-sca/ Static Code Analysis] (Checkmarx)
* [http://www.coverity.com/products/security-advisor.html Security Advisor] (Coverity)
* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Source Code Analysis] (HP/Fortify)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.veracode.com/ Veracode] (Veracode)

==Other Well Known Commercial Tools Of This Type==

* [http://www.klocwork.com/products/insight.asp Insight] (KlocWork)
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)

==More Info==

* TODO: add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers NIST's list of Source Code Security Analysis Tools]

[[Category:OWASP .NET Project]]

__NOTOC__

Source Code Analysis Tools

2013-10-30T16:28:03Z

David Lindsay: Moving Coverity and Parasoft into the OWASP Members category since they're both listed as OWASP members on the home page.

Source Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

==Strengths and Weaknesses of such tools==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.
* Output is good for developers - it highlights the precise source files and line numbers that are affected

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.

* Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]

==Open Source or Free Tools Of This Type==

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including some security flaws) in Java Programs
* [http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx FxCop] (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html RATS] (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
* [https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project] - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
* [http://sourceforge.net/projects/visualcodegrepp/ VCG] - Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools from OWASP Members Of This Type==

These vendors have decided to support OWASP by becoming [[Membership|members]]. OWASP appreciates the support from these organizations, but cannot endorse any commercial products or services.

* [http://www-01.ibm.com/software/rational/products/appscan/source/ IBM Security AppScan Source Edition] (formerly Ounce)
* [http://www.armorize.com/codesecure/ Static Source Code Analysis with CodeSecure™] (Armorize Technologies)
* [http://www.checkmarx.com/technology/static-code-analysis-sca/ Static Code Analysis] (Checkmarx)
* [http://www.coverity.com/products/static-analysis.html Static Analysis] (Coverity)
* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Source Code Analysis] (HP/Fortify)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.veracode.com/ Veracode] (Veracode)

==Other Well Known Commercial Tools Of This Type==

* [http://www.klocwork.com/products/insight.asp Insight] (KlocWork)
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)

==More Info==

* TODO: add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers NIST's list of Source Code Security Analysis Tools]

[[Category:OWASP .NET Project]]

__NOTOC__

OWASP Browser Security ACID Tests Project

2011-03-04T02:34:46Z

David Lindsay:

==== Main ====

== Welcome! ==

Welcome to the Browser Security Acid Tests project. OWASP has adopted this project with the goal to create an in-depth suite of test cases for highlighting security issues in web browsers. By highlighting such issues, we can help browser vendors adopt appropriate security controls and implement new security features in a more consistent manner. We can also help raise public awareness about various security issues while providing objective data on the current status of browser security.

The project is under active development. Please take a look at TBD for ways you can contribute.

==== Purpose ====

Web browsers are *very* complicated pieces of software. The landscape of functionality provided by modern browsers is pocketed with security concerns, both large and small. This project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

...

==== Approach ====

In order to get a feel for the security landscape of modern browsers, it's essential to be able to create have a wide range of test cases covering both high and low level security issues. In order to keep things as objective (and simple) as possible, we've opted to focus on automation as much as possible. To run these automated tests, a powerful and generic framework is needed that can run in as many browsers as possible. Fortunately, OWASP has adopted the [http://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project Web Browser Testing System Project], a testing harness originally developed and contributed by Isaac Dawson.

...more details...

==== Current Status ====

This project is under active development. We are currently working to establish the scope of the project, adopt a sensible testing framework, and gather support from interested browser vendors.

This roadmap is being developed to help establish project scope, goals, needed contributions, and so forth.

'''Phase 0: Project Setup'''
* Adopt testing framework
** Isaac's WBTS
** Configure/setup/tweak framework for internal (project contributors) use
** If we're adopting Isaac's framework, he/we will need to finish the rewrite

* Establish test case generation/submission process
** figure out how to integrate automated and manual tests
** clarify what a test case is exactly
** crowd-sourcing test cases (potentially, if so, we'll need a submission portal)
** confirm key team members contributors including "tainted" people key reviewers who are vendor neutral
** crowd-source component (?)

* Clarify categories/scope for test cases
** ensure separation between funded test case work and unfunded "edge-case" work (e.g. fuzzing tests which qualify for bounty rewards)

* Establish communication policy between project and browser vendors
** disclosure policy for vulns identified in any given browser

* Establish deliverable output format
** Presumably a website which the public can visit to run all automated tests and view results of manual tests
** Clarify what deliverable items funding browser vendors can expect (if any)

* Secure funding
** Establish website development requirements

'''Phase 1: Project Work for Basic Test Cases'''
* Establish test case areas to cover
** Prioritize these areas

* Develop Test Cases
** have a meetup for primary contributors to hammer out test cases (potentially)

* Develop website for running test cases and viewing results
** may include a submission portal

* Execute test cases
** Disclose failing test cases to appropriate vendors

* Deploy website
** establish hosting location (say in amazon cloud)
** domain name

* Complete/deliver any other deliverables to funding entities

'''Phase 2: Periodic Updates'''
* Develop new test cases

* Rerun all test cases

* Bug Fixes

* Update Website and Test Cases

* Market website

==== Get Involved ====

You can help by...

==== Proposal to Browser Vendors ====

Build test cases...

==== About ====
{{:Projects/OWASP Browser Security ACID Tests Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Browser Security ACID Tests Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]

OWASP Browser Security ACID Tests Project

2011-02-22T03:09:10Z

David Lindsay:

==== Main ====

== Welcome! ==

Welcome to the Browser Security Acid Tests project. OWASP has adopted this project with the goal to create an in-depth suite of test cases for highlighting security issues in web browsers. By highlighting such issues, we can help browser vendors adopt appropriate security controls and implement new security features in a more consistent manner. We can also help raise public awareness about various security issues while providing objective data on the current status of browser security.

The project is under active development. Please take a look at TBD for ways you can contribute.

==== Purpose ====

Web browsers are *very* complicated pieces of software. The landscape of functionality provided by modern browsers is pocketed with security concerns, both large and small. This project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

...

==== Approach ====

In order to get a feel for the security landscape of modern browsers, it's essential to be able to create have a wide range of test cases covering both high and low level security issues. In order to keep things as objective (and simple) as possible, we've opted to focus on automation as much as possible. To run these automated tests, a powerful and generic framework is needed that can run in as many browsers as possible. Fortunately, OWASP has adopted the [http://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project Web Browser Testing System Project], a testing harness originally developed and contributed by Isaac Dawson.

...more details...

==== Current Status ====

This project is under active development. We are currently working to establish the scope of the project, adopt a sensible testing framework, and gather support from interested browser vendors.

This roadmap is being developed to help establish project scope, goals, needed contributions, and so forth.

'''Phase 0: Project Setup'''
* Adopt testing framework
** Isaac's WBTS
** Configure/setup/tweak framework for internal (project contributors) use
** If we're adopting Isaac's framework, he/we will need to finish the rewrite

* Establish test case generation/submission process
** figure out how to integrate automated and manual tests
** clarify what a test case is exactly
** crowd-sourcing test cases (potentially, if so, we'll need a submission portal)
** confirm key team members contributors including "tainted" people key reviewers who are vendor neutral
** crowd-source component (?)

* Clarify categories/scope for test cases
** ensure separation between funded test case work and unfunded "edge-case" work (e.g. fuzzing tests which qualify for bounty rewards)

* Establish communication policy between project and browser vendors
** disclosure policy for vulns identified in any given browser

* Establish deliverable output format
** Presumably a website which the public can visit to run all automated tests and view results of manual tests
** Clarify what deliverable items funding browser vendors can expect (if any)
* Secure funding

'''Phase 1: Project Work for Basic Test Cases'''
* Establish test case areas to cover
** Prioritize these areas

* Develop Test Cases
** have a meetup for primary contributors to hammer out test cases (potentially)

* Develop website for running test cases and viewing results
** may include a submission portal

* Execute test cases
** Disclose failing test cases to appropriate vendors

* Deploy website
** establish hosting location (say in amazon cloud)
** domain name

* Complete/deliver any other deliverables to funding entities

'''Phase 2: Periodic Updates'''
* Develop new test cases

* Rerun all test cases

* Bug Fixes

* Update Website and Test Cases

* Market website

==== Get Involved ====

You can help by...

==== Proposal to Browser Vendors ====

Build test cases...

==== About ====
{{:Projects/OWASP Browser Security ACID Tests Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Browser Security ACID Tests Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]

OWASP Browser Security ACID Tests Project

2011-02-22T02:45:53Z

David Lindsay:

==== Main ====

== Browser Security Acid Tests ==

Welcome to the Browser Security Acid Tests. OWASP has adopted this project with the goal to create an in-depth suite of test cases for identifying security issues in web browsers. By highlighting such issues, we can help browser vendors adopt appropriate security controls and implement new security features in a more consistent manner. We can also help raise public awareness about various security issues while providing objective data on the current status of browser security.

The project is under active development. Please take a look at TBD for ways you can contribute.

==== Purpose ====

Web browsers are *very* complicated pieces of software. The landscape of functionality provided by modern browsers is pocketed with security concerns, both large and small. This project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

...

==== Approach ====

In order to get a feel for the security landscape of modern browsers, it's essential to be able to create have a wide range of test cases covering both high and low level security issues. In order to keep things as objective (and simple) as possible, we've opted to focus on automation as much as possible. To run these automated tests, a powerful and generic framework is needed that can run in as many browsers as possible. Fortunately, OWASP has adopted the [http://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project Web Browser Testing System Project], a testing harness originally developed and contributed by Isaac Dawson.

...more details...

==== Current Status ====

This project is under active development. We are currently working to establish the scope of the project, adopt a sensible testing framework, and gather support from interested browser vendors.

==== Get Involved ====

You can help by...

==== Proposal to Browser Vendors ====

Build test cases...

==== About ====
{{:Projects/OWASP Browser Security ACID Tests Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Browser Security ACID Tests Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]

OWASP Browser Security ACID Tests Project

2011-02-22T02:44:57Z

David Lindsay:

==== Main ====

== Browser Security Acid Tests ==

Welcome to the Browser Security Acid Tests. OWASP has adopted this project with the goal to create an in-depth suite of test cases for identifying security issues in web browsers. By highlighting such issues, we can help browser vendors adopt appropriate security controls and implement new security features in a more consistent manner. We can also help raise public awareness about various security issues while providing objective data on the current status of browser security.

The project is under active development. Please take a look at TBD for ways you can contribute.

==== Purpose ====

Web browsers are *very* complicated pieces of software. The landscape of functionality provided by modern browsers is pocketed with security concerns, both large and small. This project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

...

==== Approach ====

In order to get a feel for the security landscape of modern browsers, it's essential to be able to create have a wide range of test cases covering both high and low level security issues. In order to keep things as objective (and simple) as possible, we've opted to focus on automation as much as possible. To run these automated tests, a powerful and generic framework is needed that can run in as many browsers as possible. Fortunately, OWASP has adopted the [http://www.owasp.org/index.php/OWASP_Web_Browser_Testing_System_Project Web Browser Testing System Project], a testing harness originally developed and contributed by Isaac Dawson.

...more details...

==== Current Status ====

This project is under active development. We are currently working to establish the scope of the project, adopt a sensible testing framework, and gather support from interested browser vendors.

==== Get Involved ====

You can help by...

==== Proposal to Browser Vendors ====

Build test cases...

====

==== About ====
{{:Projects/OWASP Browser Security ACID Tests Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Browser Security ACID Tests Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]

OWASP Browser Security ACID Tests Project

2011-02-22T02:30:53Z

David Lindsay:

==== Main ====

== Browser Security Acid Tests ==

Welcome to the Browser Security Acid Tests. OWASP has adopted this project with the goal to create an in-depth suite of test cases for identifying security issues in web browsers. By highlighting such issues, we can help browser vendors adopt appropriate security controls and implement new security features in a more consistent manner. We can also help raise public awareness about various security issues while providing objective data on the current status of browser security.

The project is under active development. Please take a look at TBD for ways you can contribute.

==== Purpose ====

Web browsers are *very* complicated pieces of software. The landscape of functionality provided by modern browsers is pocketed with security concerns, both large and small. This project was started in order to help people get a better understanding of what these issues are while also providing browser vendors a forum to compare strategies, vulnerabilities, and new features.

...

==== Current Status ====

This project is under active development. We are currently working to establish the scope of the project, adopt a sensible testing framework, and gather support from interested browser vendors.

==== Get Involved ====

You can help by...

==== Proposal to Browser Vendors ====

Build test cases...

====

==== About ====
{{:Projects/OWASP Browser Security ACID Tests Project | Project About}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project|Browser Security ACID Tests Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]

Summit 2011 Working Sessions/Session043

2011-02-05T22:47:02Z

David Lindsay:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
|-

| summit_session_attendee_name1 = Lucas C. Ferreira
| summit_session_attendee_email1 = lucas.ferreira@owasp.org
| summit_session_attendee_username1 =
| summit_session_attendee_company1=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=

| summit_session_attendee_name2 = Achim Hoffmann
| summit_session_attendee_email2 = achim@owasp.org
| summit_session_attendee_username2 = Achim
| summit_session_attendee_company2= sic[!]sec
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=

| summit_session_attendee_name3 = Justin Clarke
| summit_session_attendee_email3 = justin.clarke@owasp.org
| summit_session_attendee_username3 =
| summit_session_attendee_company3=Gotham Digital Science
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=How can we package, and/or make this easier for noobs to deploy?

| summit_session_attendee_name4 = Giorgio Fedon
| summit_session_attendee_email4 =
| summit_session_attendee_username4 = gfedon
| summit_session_attendee_company4=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=

| summit_session_attendee_name5 = Abraham Kang
| summit_session_attendee_email5 =
| summit_session_attendee_username5 =
| summit_session_attendee_company5=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=

| summit_session_attendee_name6 = Mario Heiderich
| summit_session_attendee_email6 =
| summit_session_attendee_username6 =
| summit_session_attendee_company6= Ruhr University Bochum / NDS
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= Filter Evasions

| summit_session_attendee_name7 = Gareth Heyes
| summit_session_attendee_email7 =
| summit_session_attendee_username7 =
| summit_session_attendee_company7= Businessinfo
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=

| summit_session_attendee_name8 = Eduardo Vela
| summit_session_attendee_email8 = evn@google.com
| summit_session_attendee_username8 = EduardoVela
| summit_session_attendee_company8= Google
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= ACS etc..

| summit_session_attendee_name9 = Stefano Di Paola
| summit_session_attendee_email9 =
| summit_session_attendee_username9 = Wisec
| summit_session_attendee_company9= Minded Security
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=

| summit_session_attendee_name10 = David Lindsay
| summit_session_attendee_email10 =
| summit_session_attendee_username10 = David Lindsay
| summit_session_attendee_company10= Cigital Inc
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=Filter Evasions

| summit_session_attendee_name11 =
| summit_session_attendee_email11 =
| summit_session_attendee_username11 =
| summit_session_attendee_company11=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=

| summit_session_attendee_name12 =
| summit_session_attendee_email12 =
| summit_session_attendee_username12 =
| summit_session_attendee_company12=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=

| summit_session_attendee_name13 =
| summit_session_attendee_email13 =
| summit_session_attendee_username13 =
| summit_session_attendee_company13=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=

| summit_session_attendee_name14 =
| summit_session_attendee_email14 =
| summit_session_attendee_username14 =
| summit_session_attendee_company14=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=

| summit_session_attendee_name15 =
| summit_session_attendee_email15 =
| summit_session_attendee_username15 =
| summit_session_attendee_company15=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=

| summit_session_attendee_name16 =
| summit_session_attendee_email16 =
| summit_session_attendee_username16 =
| summit_session_attendee_company16=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=

| summit_session_attendee_name17 =
| summit_session_attendee_email17 =
| summit_session_attendee_username17 =
| summit_session_attendee_company17=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=

| summit_session_attendee_name18 =
| summit_session_attendee_email18 =
| summit_session_attendee_username18 =
| summit_session_attendee_company18=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=

| summit_session_attendee_name19 =
| summit_session_attendee_email19 =
| summit_session_attendee_username19 =
| summit_session_attendee_company19=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=

| summit_session_attendee_name20 =
| summit_session_attendee_email20 =
| summit_session_attendee_username20 =
| summit_session_attendee_company20=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=

|-
| summit_track_logo = [[Image:T._cross_site.jpg]]
| summit_ws_logo = [[Image:WS._cross_site.jpg]]
| summit_session_name = WAF Mitigations for XSS
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session043
| mailing_list =

|-

| short_working_session_description= To discuss if/when/how web application firewalls can help to prevent XSS attacks

|-

| related_project_name1 = Blog post by Ryan Barnett on defending against XSS
| related_project_url_1 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-identifying-improper-output-handling-xss-flaws.html

| related_project_name2 = Blog post by Ryan Barnett on using content injection to combat XSS
| related_project_url_2 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-xss-defense-via-content-injection.html

| related_project_name3 = ModSecurity Demo
| related_project_url_3 = http://www.modsecurity.org/demo/demo-deny-noescape.html

| related_project_name4 =
| related_project_url_4 =

| related_project_name5 =
| related_project_url_5 =

|-

| summit_session_objective_name1= Improve XSS Attack Payload Detection Techniques

| summit_session_objective_name2 = Identifying Improper Output Handling Flaws in Web Apps

| summit_session_objective_name3 = Feasibility of Profile Page Scripts/Iframes

| summit_session_objective_name4 = Testing Injection of JS Sandbox Code in Responses

| summit_session_objective_name5 =

|-

| working_session_date_and_time =

|-

| discussion_model = participants and attendees

|-

| operational_resources = Projector, whiteboards, markers, Internet connectivity, power

|-

| working_session_additional_details =

|-

|summit_session_deliverable_name1 = White paper describing “Next Generation WAF Capabilities” such as the ones described above. Include areas requiring additional research and funding.

|summit_session_deliverable_name2 =

|summit_session_deliverable_name3 =

|summit_session_deliverable_name4 =

|summit_session_deliverable_name5 =

|summit_session_deliverable_name6 =

|summit_session_deliverable_name7 =

|summit_session_deliverable_name8 =

|-

| summit_session_leader_name1 = Ryan Barnett
| summit_session_leader_email1 = ryan.barnett@owasp.org
| summit_session_leader_username1 = Rcbarnett

| summit_session_leader_name2 =
| summit_session_leader_email2 =
| summit_session_leader_username2 =

| summit_session_leader_name3 =
| summit_session_leader_email3 =
| summit_session_leader_username3 =

|-

| operational_leader_name1 =
| operational_leader_email1 =
| operational_leader_username1 =

|-

| meeting_notes =

|-

| session_name_mask =  Session043
| session_home_page =  Summit_2011_Working_Sessions/Session043
}}

Summit 2011 Working Sessions/Session043

2011-02-05T19:43:25Z

David Lindsay:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
|-

| summit_session_attendee_name1 = Lucas C. Ferreira
| summit_session_attendee_email1 = lucas.ferreira@owasp.org
| summit_session_attendee_username1 =
| summit_session_attendee_company1=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=

| summit_session_attendee_name2 = Achim Hoffmann
| summit_session_attendee_email2 = achim@owasp.org
| summit_session_attendee_username2 = Achim
| summit_session_attendee_company2= sic[!]sec
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=

| summit_session_attendee_name3 = Justin Clarke
| summit_session_attendee_email3 = justin.clarke@owasp.org
| summit_session_attendee_username3 =
| summit_session_attendee_company3=Gotham Digital Science
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=How can we package, and/or make this easier for noobs to deploy?

| summit_session_attendee_name4 = Giorgio Fedon
| summit_session_attendee_email4 =
| summit_session_attendee_username4 = gfedon
| summit_session_attendee_company4=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=

| summit_session_attendee_name5 = Abraham Kang
| summit_session_attendee_email5 =
| summit_session_attendee_username5 =
| summit_session_attendee_company5=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=

| summit_session_attendee_name6 = Mario Heiderich
| summit_session_attendee_email6 =
| summit_session_attendee_username6 =
| summit_session_attendee_company6= Ruhr University Bochum / NDS
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= Filter Evasions

| summit_session_attendee_name7 = Gareth Heyes
| summit_session_attendee_email7 =
| summit_session_attendee_username7 =
| summit_session_attendee_company7= Businessinfo
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=

| summit_session_attendee_name8 = Eduardo Vela
| summit_session_attendee_email8 = evn@google.com
| summit_session_attendee_username8 = EduardoVela
| summit_session_attendee_company8= Google
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= ACS etc..

| summit_session_attendee_name9 = Stefano Di Paola
| summit_session_attendee_email9 =
| summit_session_attendee_username9 = Wisec
| summit_session_attendee_company9= Minded Security
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=

| summit_session_attendee_name10 = David Lindsay
| summit_session_attendee_email10 =
| summit_session_attendee_username10 = thornmaker
| summit_session_attendee_company10= Cigital Inc
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=Filter Evasions

| summit_session_attendee_name11 =
| summit_session_attendee_email11 =
| summit_session_attendee_username11 =
| summit_session_attendee_company11=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=

| summit_session_attendee_name12 =
| summit_session_attendee_email12 =
| summit_session_attendee_username12 =
| summit_session_attendee_company12=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=

| summit_session_attendee_name13 =
| summit_session_attendee_email13 =
| summit_session_attendee_username13 =
| summit_session_attendee_company13=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=

| summit_session_attendee_name14 =
| summit_session_attendee_email14 =
| summit_session_attendee_username14 =
| summit_session_attendee_company14=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=

| summit_session_attendee_name15 =
| summit_session_attendee_email15 =
| summit_session_attendee_username15 =
| summit_session_attendee_company15=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=

| summit_session_attendee_name16 =
| summit_session_attendee_email16 =
| summit_session_attendee_username16 =
| summit_session_attendee_company16=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=

| summit_session_attendee_name17 =
| summit_session_attendee_email17 =
| summit_session_attendee_username17 =
| summit_session_attendee_company17=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=

| summit_session_attendee_name18 =
| summit_session_attendee_email18 =
| summit_session_attendee_username18 =
| summit_session_attendee_company18=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=

| summit_session_attendee_name19 =
| summit_session_attendee_email19 =
| summit_session_attendee_username19 =
| summit_session_attendee_company19=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=

| summit_session_attendee_name20 =
| summit_session_attendee_email20 =
| summit_session_attendee_username20 =
| summit_session_attendee_company20=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=

|-
| summit_track_logo = [[Image:T._cross_site.jpg]]
| summit_ws_logo = [[Image:WS._cross_site.jpg]]
| summit_session_name = WAF Mitigations for XSS
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session043
| mailing_list =

|-

| short_working_session_description= To discuss if/when/how web application firewalls can help to prevent XSS attacks

|-

| related_project_name1 = Blog post by Ryan Barnett on defending against XSS
| related_project_url_1 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-identifying-improper-output-handling-xss-flaws.html

| related_project_name2 = Blog post by Ryan Barnett on using content injection to combat XSS
| related_project_url_2 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-xss-defense-via-content-injection.html

| related_project_name3 = ModSecurity Demo
| related_project_url_3 = http://www.modsecurity.org/demo/demo-deny-noescape.html

| related_project_name4 =
| related_project_url_4 =

| related_project_name5 =
| related_project_url_5 =

|-

| summit_session_objective_name1= Improve XSS Attack Payload Detection Techniques

| summit_session_objective_name2 = Identifying Improper Output Handling Flaws in Web Apps

| summit_session_objective_name3 = Feasibility of Profile Page Scripts/Iframes

| summit_session_objective_name4 = Testing Injection of JS Sandbox Code in Responses

| summit_session_objective_name5 =

|-

| working_session_date_and_time =

|-

| discussion_model = participants and attendees

|-

| operational_resources = Projector, whiteboards, markers, Internet connectivity, power

|-

| working_session_additional_details =

|-

|summit_session_deliverable_name1 = White paper describing “Next Generation WAF Capabilities” such as the ones described above. Include areas requiring additional research and funding.

|summit_session_deliverable_name2 =

|summit_session_deliverable_name3 =

|summit_session_deliverable_name4 =

|summit_session_deliverable_name5 =

|summit_session_deliverable_name6 =

|summit_session_deliverable_name7 =

|summit_session_deliverable_name8 =

|-

| summit_session_leader_name1 = Ryan Barnett
| summit_session_leader_email1 = ryan.barnett@owasp.org
| summit_session_leader_username1 = Rcbarnett

| summit_session_leader_name2 =
| summit_session_leader_email2 =
| summit_session_leader_username2 =

| summit_session_leader_name3 =
| summit_session_leader_email3 =
| summit_session_leader_username3 =

|-

| operational_leader_name1 =
| operational_leader_email1 =
| operational_leader_username1 =

|-

| meeting_notes =

|-

| session_name_mask =  Session043
| session_home_page =  Summit_2011_Working_Sessions/Session043
}}