Federico Casani entered in ICT world from 2005. He has worked in web application development and security since 2006: before that he has studied about automation and domotics protocols (like KNXnet/IP and EIBsec).

He is a Senior Consultant for [http://www.altran.it Altran Italia] where he works as Software Developer Engineer:

Web Applications, SOA solutions, Web Services, I&AM and Enterprise Communication Layers.

Federico Casani has Magister Degree in Telecommunications Engineering from Parma University.

[http://www.giac.org/star/listings/DEVELOPER/319 SANS GIAC S.T.A.R. Web Application Security]

[http://www.giac.org/star/listings/Audit/521 SANS GIAC S.T.A.R. Payment Card Industry]

[http://hackingthenet.wordpress.com blog]

[mailto:f.casani@owasp.org email]

This is a temporary link for the translation project of the document "OWASP Code review Guide V1.1":

[http://www.owasp.org/images/6/6f/OWASP_Code_Review_Guide-V1_1-ITA.pdf OWASP Code Review Guide V1.1-ITA - draft]

[http://www.owasp.org/images/8/81/OWASP_Code_Review_Guide-V1_1-ITA_draft.doc OWASP Code Review Guide-V1.1-ITA - draft]

Federico.casani:

User:Federico.casani

2009-07-24T21:17:06Z

Federico.casani:

OWASP Java Table of Contents

2009-07-07T20:55:29Z

Federico.casani: /* Authorization */

Key:
* xx%: Progress status of the paragraph
* Review: The paragraph needs a review
* TD: Paragraph to be assigned

==[[J2EE Security for Architects]]==
Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.

Any other security concerns that should be addressed during the design phase should also be mentioned here.
===Design considerations===
* Architectural considerations (0%, TD)
** EJB Middle tier (0%, TD)
** Web Services Middle tier (0%, TD)
** Spring Middle tier (0%, TD)

==[[J2EE Security for Developers]]==
=== Noteworthy Frameworks ===
Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level. For example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.

(0%, Seeking Volunteers)
* Cocoon
* [[Java Server Faces]] (Sam Reghenzi - 90%, Finalising content)
* JSecurity
* SiteMesh
* Spring (0%, Adrian San Juan, TD)
* [[Struts]] (0% Jon Forck)
* Tapestry
* Tiles
* Turbine
* Webwork
* [[Wicket]]

===Java Security Basics===
Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.
* Class Loading (0%, Philippe Clairet)
* Bytecode verifier (0%, Philippe Clairet)
* The Security Manager and security.policy file (0%, John Wilander, Philippe Clairet)

===Input Validation Overview ===
Input validation is perhaps the most important category of application security. Any data entering a software system must be verified to contain safe data that is not mounting a SQL Injection, XSS, CSRF or other form of attack. This is done primarily through the use of regular expressions. It's crucial not to hard-code input validation routines. Regular expressions should contained within a configuration file that can easily updated by an InfoSec professional and not require a programmers intervention or deployment of new application code. Application security needs change over time as new attack vectors are discovered. Application administers need to be able to react to these changes as quickly as possible.

===Input Validation ===
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
* [[How to add validation logic to HttpServletRequest]] (100%, Jeff Williams, Complete)
* [[How to perform HTML entity encoding in Java]] (100%, Jeff Williams, Complete)

==== [[Preventing SQL Injection in Java]] ====
* Overview
* Prevention (60%, Stephen de Vries, Review)
** White Listing
** Prepared Statements
** Stored Procedures
** Hibernate
** Ibatis (60%, Rohyt Belani, Review)
** Spring JDBC
** EJB 3.0
** JDO

==== [[Preventing LDAP Injection in Java]] ====
* Overview (100%, Stephen de Vries, Complete)
* Prevention (100%, Stephen de Vries, Complete)

==== [[XPATH Injection]] ====
As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.
* Overview (0%, TD)
* Prevention (0%, TD)

==== [[Miscellaneous Injection Attacks]] ====
* HTTP Response splitting (0%, TD)
* Command injection - Runtime.getRuntime().exec() (0%, TD)
* Regular Expression (regex) Injections (20%)

''' Status '''
In progress

=== Authentication===
* [[Storing credentials]] - (20%, Adrian San Juan, Review)
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, Review)
* [[SSL Best Practices]] - (20%, Philippe Curmin, Review)
* [[Using JCaptcha]] - (100%, Dave Ferguson, Review)
* Container-managed authentication with Realms
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Completed)
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, Review)
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, Review)
* [[Password length & complexity]] - (100%, Adrian San Juan, Review)

===Session Management ===
The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.
* Logout (0%, TD)
* Session Timeout (0%, TD)
* Absolute Timeout (0%, TD)
* [[Session Fixation in Java]] (100%, Rohyt Belani, Review)
* Terminating sessions (0%, TD)
** Terminating sessions when the browser window is closed

===Authorization===
* [[Declarative v/s Programmatic]] (10%, TD)
* EJB Authorization (0%, TD)
* Acegi (0%, TD)
* JACC (0%, TD)
* Check horizontal privilege (0%, TD)

=== Encryption===
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions JCE] (100%, Joe Prasanna Kumar - To be reviewed)
* Storing db secrets (0%, TD)
* Encrypting JDBC connections (0%, TD)
* [http://www.owasp.org/index.php/Using_the_Java_Secure_Socket_Extensions JSSE] (100%, Joe Prasanna Kumar - To be reviewed)
* [http://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java Digital Signatures in Java] (100%, Joe Prasanna Kumar - To be reviewed)

=== Error Handling & Logging===
* Logging - why log? what to log? log4j, etc. (0%, TD)
* Exception handling techniques (0%, TD)
** fail-open/fail-closed
** resource cleanup
** finally block
** swallowing exceptions
* Exception handling frameworks (50%, TD)
** Servlet spec - web.xml
** [[Securing tomcat]] (100%, Darren Edmonds, Completed)
** JSP errorPage (0%, TD)
* Web application forensics (0%, TD)

=== Web Services Security ===
* SAML (0%, TD)
* (X)WS-Security (0%, TD)
* SunJWSDP (0%, TD)
* WSS4J (0%, Eelco Klaver)
* XML Signature (JSR 105) (0%, TD)
* XML Encryption (JSR 106) (0%, TD)

=== Code Analysis Tools ===
The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.
* Introduction (0%, TD)
* [[:Category:OWASP LAPSE Project]] (100%, Review)
* FindBugs (0%, TD)
** Creating custom rules
* PMD (0%, TD)
** Creating custom rules
* JLint (0%, TD)
* Jmetrics (0%, TD)

== J2EE Security For Deployers ==
Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.
=== Securing Popular J2EE Servers ===
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Completed)
* Securing JBoss (0%, TD)
* Securing WebLogic (0%, TD)
* Securing WebSphere (0%, TD)
* Others...

=== Defining a Java Security Policy ===
Practical information on creating a Java security policies for J2EE servers.
* PolicyTool - JChains already provides this functionality, one policy tool is enough.
* jChains (www.jchains.org) - (0%, TD)

=== Protecting Binaries ===
* Bytecode manipulation tools and techniques (0%, TD)
* [[Bytecode obfuscation]] (100%, Pierre Parrend, Released)
* Convert bytecode to native machine code (0%, TD)
* [[Protecting code archives with digital signatures]] (100%, Pierre Parrend, Released)
* [[Signing jar files with jarsigner]] (100%, Pierre Parrend, Released)

==J2EE Security for Security Analysts and Testers==
* Using Eclipse to verify Java applications (0%, TD)
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)
* Decompiling Java bytecode (0%, TD)

== [[Java Security Resources]] (ongoing)==

[[Category:OWASP Java Project]]

Key Project Information:OWASP Learn About Encoding Project

2009-07-07T01:38:32Z

Federico.casani:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Learn About Encoding Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
This project has as its ultimate goal of demystifying the problems related to the study of character encoding (charset encoding). From charset's proper use to the issue of canonicalization, we'll try to explain and resolve the problems related to this issue so dear to professionals in the ICT world. The project consist of: a web application that explain the character life cycle and a usable textual tool and GUI tool.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [[user:federico.casani|'''Federico Casani''']] [[user:andrea.zonzin|'''Andrea Zonzin''']]
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-learn-about-encoding '''Subscribe here'''] [mailto:owasp-learn-about-encoding@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Tool''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors add link(s)
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Tool Criteria|Apha Quality]]''' [[:OWASP Learn About Encoding Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|[http://http://learnaboutencoding.wordpress.com '''Blog''']
| style="width:29%; background:#cccccc" align="center"|if any, add link(s)
|}
----

Key Project Information:OWASP Learn About Encoding Project

2009-07-07T01:36:39Z

Federico.casani:

----
{| style="width:100%" border="0" align="center"
! colspan="8" align="center" style="background:#4058A0; color:white"|'''PROJECT INFORMATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|'''OWASP Learn About Encoding Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="7" style="width:85%; background:#cccccc" align="left"|
This project has as its ultimate goal of demystifying the problems related to the study of character encoding (charset encoding). From charset's proper use to the issue of canonicalization, we'll try to explain and resolve the problems related to this issue so dear to professionals in the ICT world. The project consist of: a web application that explain the character life cycle and a usable textual tool and GUI tool.
|-
| style="width:15%; background:#7B8ABD" align="center"|
'''Key Project Information'''
| style="width:14%; background:#cccccc" align="center"|
Project Leader [[user:federico.casani|'''Federico Casani''']] [[user:andrea.zonzin|'''Andrea Zonzin''']]
| style="width:15%; background:#cccccc" align="center"|
Project Contibutors (if any)
| style="width:10%; background:#cccccc" align="center"|
Mailing List [https://lists.owasp.org/mailman/listinfo/owasp-learn-about-encoding '''Subscribe here'''] [mailto:owasp-learn-about-encoding@lists.owasp.org '''Use here''']
| style="width:17%; background:#cccccc" align="center"|
License [http://creativecommons.org/licenses/by-sa/3.0/ '''Creative Commons Attribution Share Alike 3.0''']
| style="width:14%; background:#cccccc" align="center"|
Project Type [[:Category:OWASP_Project#Alpha_Status_Projects|'''Tool''']]
| style="width:15%; background:#cccccc" align="center"|
Sponsors add link(s)
|}
{| style="width:100%" border="0" align="center"
! align="center" style="background:#7B8ABD; color:white"|'''Release Status'''
! align="center" style="background:#7B8ABD; color:white"|'''Main Links'''
! align="center" style="background:#7B8ABD; color:white"|'''Related Projects'''
|-
| style="width:29%; background:#cccccc" align="center"|
'''[[:Category:OWASP Project Assessment#Alpha Quality Tool Criteria|Apha Quality]]''' [[:OWASP Learn About Encoding Project - Assessment Frame|Please see here for complete information.]]
| style="width:42%; background:#cccccc" align="center"|
* [http://http://learnaboutencoding.wordpress.com '''Blog''']
| style="width:29%; background:#cccccc" align="center"|
* if any, add link(s)
|}
----

OWASP Java Table of Contents

2009-07-07T01:22:56Z

Federico.casani: /* Authorization */

Key:
* xx%: Progress status of the paragraph
* Review: The paragraph needs a review
* TD: Paragraph to be assigned

==[[J2EE Security for Architects]]==
Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.

Any other security concerns that should be addressed during the design phase should also be mentioned here.
===Design considerations===
* Architectural considerations (0%, TD)
** EJB Middle tier (0%, TD)
** Web Services Middle tier (0%, TD)
** Spring Middle tier (0%, TD)

==[[J2EE Security for Developers]]==
=== Noteworthy Frameworks ===
Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level. For example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.

(0%, Seeking Volunteers)
* Cocoon
* [[Java Server Faces]] (Sam Reghenzi - 90%, Finalising content)
* JSecurity
* SiteMesh
* Spring (0%, Adrian San Juan, TD)
* [[Struts]] (0% Jon Forck)
* Tapestry
* Tiles
* Turbine
* Webwork
* [[Wicket]]

===Java Security Basics===
Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.
* Class Loading (0%, Philippe Clairet)
* Bytecode verifier (0%, Philippe Clairet)
* The Security Manager and security.policy file (0%, John Wilander, Philippe Clairet)

===Input Validation Overview ===
Input validation is perhaps the most important category of application security. Any data entering a software system must be verified to contain safe data that is not mounting a SQL Injection, XSS, CSRF or other form of attack. This is done primarily through the use of regular expressions. It's crucial not to hard-code input validation routines. Regular expressions should contained within a configuration file that can easily updated by an InfoSec professional and not require a programmers intervention or deployment of new application code. Application security needs change over time as new attack vectors are discovered. Application administers need to be able to react to these changes as quickly as possible.

===Input Validation ===
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
* [[How to add validation logic to HttpServletRequest]] (100%, Jeff Williams, Complete)
* [[How to perform HTML entity encoding in Java]] (100%, Jeff Williams, Complete)

==== [[Preventing SQL Injection in Java]] ====
* Overview
* Prevention (60%, Stephen de Vries, Review)
** White Listing
** Prepared Statements
** Stored Procedures
** Hibernate
** Ibatis (60%, Rohyt Belani, Review)
** Spring JDBC
** EJB 3.0
** JDO

==== [[Preventing LDAP Injection in Java]] ====
* Overview (100%, Stephen de Vries, Complete)
* Prevention (100%, Stephen de Vries, Complete)

==== [[XPATH Injection]] ====
As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.
* Overview (0%, TD)
* Prevention (0%, TD)

==== [[Miscellaneous Injection Attacks]] ====
* HTTP Response splitting (0%, TD)
* Command injection - Runtime.getRuntime().exec() (0%, TD)
* Regular Expression (regex) Injections (20%)

''' Status '''
In progress

=== Authentication===
* [[Storing credentials]] - (20%, Adrian San Juan, Review)
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, Review)
* [[SSL Best Practices]] - (20%, Philippe Curmin, Review)
* [[Using JCaptcha]] - (100%, Dave Ferguson, Review)
* Container-managed authentication with Realms
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Completed)
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, Review)
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, Review)
* [[Password length & complexity]] - (100%, Adrian San Juan, Review)

===Session Management ===
The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.
* Logout (0%, TD)
* Session Timeout (0%, TD)
* Absolute Timeout (0%, TD)
* [[Session Fixation in Java]] (100%, Rohyt Belani, Review)
* Terminating sessions (0%, TD)
** Terminating sessions when the browser window is closed

===Authorization===
* [[Declarative v/s Programmatic]] (10%, TD)
* EJB Authorization (0%, TD)
* Acegi (0%, TD)
* JACC (0%, TD)
* Check horizontal privilege (0%, TD)
* MAC Filter (0%, TD)

=== Encryption===
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions JCE] (100%, Joe Prasanna Kumar - To be reviewed)
* Storing db secrets (0%, TD)
* Encrypting JDBC connections (0%, TD)
* [http://www.owasp.org/index.php/Using_the_Java_Secure_Socket_Extensions JSSE] (100%, Joe Prasanna Kumar - To be reviewed)
* [http://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java Digital Signatures in Java] (100%, Joe Prasanna Kumar - To be reviewed)

=== Error Handling & Logging===
* Logging - why log? what to log? log4j, etc. (0%, TD)
* Exception handling techniques (0%, TD)
** fail-open/fail-closed
** resource cleanup
** finally block
** swallowing exceptions
* Exception handling frameworks (50%, TD)
** Servlet spec - web.xml
** [[Securing tomcat]] (100%, Darren Edmonds, Completed)
** JSP errorPage (0%, TD)
* Web application forensics (0%, TD)

=== Web Services Security ===
* SAML (0%, TD)
* (X)WS-Security (0%, TD)
* SunJWSDP (0%, TD)
* WSS4J (0%, Eelco Klaver)
* XML Signature (JSR 105) (0%, TD)
* XML Encryption (JSR 106) (0%, TD)

=== Code Analysis Tools ===
The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.
* Introduction (0%, TD)
* [[:Category:OWASP LAPSE Project]] (100%, Review)
* FindBugs (0%, TD)
** Creating custom rules
* PMD (0%, TD)
** Creating custom rules
* JLint (0%, TD)
* Jmetrics (0%, TD)

== J2EE Security For Deployers ==
Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.
=== Securing Popular J2EE Servers ===
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Completed)
* Securing JBoss (0%, TD)
* Securing WebLogic (0%, TD)
* Securing WebSphere (0%, TD)
* Others...

=== Defining a Java Security Policy ===
Practical information on creating a Java security policies for J2EE servers.
* PolicyTool - JChains already provides this functionality, one policy tool is enough.
* jChains (www.jchains.org) - (0%, TD)

=== Protecting Binaries ===
* Bytecode manipulation tools and techniques (0%, TD)
* [[Bytecode obfuscation]] (100%, Pierre Parrend, Released)
* Convert bytecode to native machine code (0%, TD)
* [[Protecting code archives with digital signatures]] (100%, Pierre Parrend, Released)
* [[Signing jar files with jarsigner]] (100%, Pierre Parrend, Released)

==J2EE Security for Security Analysts and Testers==
* Using Eclipse to verify Java applications (0%, TD)
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)
* Decompiling Java bytecode (0%, TD)

== [[Java Security Resources]] (ongoing)==

[[Category:OWASP Java Project]]

User:Federico.casani

2009-07-06T11:14:48Z

Federico.casani:

Category:OWASP Learn About Encoding Project

2009-06-05T08:44:04Z

Federico.casani:

[[:Key Project Information:OWASP Learn About Encoding Project|Click here to see (& edit, if wanted) the project's template.]]
{{:Key Project Information:OWASP Learn About Encoding Project}}

'''Preamble'''
----
Starting with projects such as overtime
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
* [http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/org/owasp/esapi/codecs/?r=364 ESAPI Codecs and Encoder]

The "OWASP Learn About Encoding Project" has not discovered anything new, but rather wants to emphasize
the importance of input sanitize and output escaping. In the network there are often errors in the visualization
of pages: you see question marks (?) where it should be accented letters, there are strange characters (i.e. A+tilde,
A+umlauts) where this should be the "euro" character, and so way. Not only that: but there are communication channels
that allow the exchange of characters not properly controlled: i.e. sms messages, chat messages, voip client, ecc..
often contain values are not consistent.

The use of proper Charset is essential for
* integrity of the data: if we take in input some characters, we want to "see" the same characters in output
* the prevention of the problem of Canonicalization: the knowledge of Charsets is the first thing to do

'''Goal'''
----
This is a project that aims to educate developers, systems analysts or anyone who writes code regarding the knowledge
of proper use of Charset and Canonicalization. The project will seek to give a comprehensive response by crossing one
another most scenarios highlighting the roles of key players (browser, operating system, database, etc. ..).

To achieve this goal we decided to create a tool in three different formats:

* web application
* swing application
* shell tool

'''Roadmap'''
----
Detailed roadmap for future developments:

01/03/09 : Startup

01/03/09 - 15/03/09 : Project Goal Definition

16/03/09 - 31/03/09 : Project Architecture Definition

01/04/09 - 31/06/09 : Code Development

01/07/09 : Alpha release

05/07/09 - 30/07/09 : Bug Fixing

01/08/09 - 30/10/09 : Project Development - enhancement, new features

01/11/09 : Beta release

02/11/09 - 30/11/09 : Bug Fixing

'''News'''
----
http://blogs.sun.com/CoreJavaTechTips/entry/the_overhaul_of_java_utf

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Alpha Quality Tool]]

Template:ProjectTabs

2009-06-04T15:25:38Z

Federico.casani:

==== About ====
{{{Proj_About}}}

==== FAQ ====
{{{Proj_Documentation}}}

==== News ====
{{{Proj_Mail}}}

==== Contributors/Users ====
{{{Proj_Contributors}}}

__NOTOC__
<headertabs/>

Category:OWASP Learn About Encoding Project

2009-06-02T22:54:00Z

Federico.casani:

[[:Key Project Information:OWASP Learn About Encoding Project|Click here to see (& edit, if wanted) the project's template.]]
{{:Key Project Information:OWASP Learn About Encoding Project}}

{{ ProjectTabs |
Proj_About =
'''Preamble'''
----
Starting with projects such as overtime
* [[XSS (Cross Site Scripting) Prevention Cheat Sheet]]
* [http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/org/owasp/esapi/codecs/?r=364 ESAPI Codecs and Encoder]

The "OWASP Learn About Encoding Project" has not discovered anything new, but rather wants to emphasize
the importance of input sanitize and output escaping. In the network there are often errors in the visualization
of pages: you see question marks (?) where it should be accented letters, there are strange characters (i.e. A+tilde,
A+umlauts) where this should be the "euro" character, and so way. Not only that: but there are communication channels
that allow the exchange of characters not properly controlled: i.e. sms messages, chat messages, voip client, ecc..
often contain values are not consistent.

The use of proper Charset is essential for
* integrity of the data: if we take in input some characters, we want to "see" the same characters in output
* the prevention of the problem of Canonicalization: the knowledge of Charsets is the first thing to do

'''Goal'''
----
This is a project that aims to educate developers, systems analysts or anyone who writes code regarding the knowledge
of proper use of Charset and Canonicalization. The project will seek to give a comprehensive response by crossing one
another most scenarios highlighting the roles of key players (browser, operating system, database, etc. ..).

To achieve this goal we decided to create a tool in three different formats:

* web application
* swing application
* shell tool

|

Proj_Documentation=
'''Roadmap'''
----
Detailed roadmap for future developments:

01/03/09 : Startup

01/03/09 - 15/03/09 : Project Goal Definition

16/03/09 - 31/03/09 : Project Architecture Definition

01/04/09 - 31/06/09 : Code Development

01/07/09 : Alpha release

05/07/09 - 30/07/09 : Bug Fixing

01/08/09 - 30/10/09 : Project Development - enhancement, new features

01/11/09 : Beta release

02/11/09 - 30/11/09 : Bug Fixing

|

Proj_Mail= http://blogs.sun.com/CoreJavaTechTips/entry/the_overhaul_of_java_utf

|

Proj_Contributors= send an email to Project Leader

}}

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Alpha Quality Tool]]