This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Project Information:template AntiSamy Project - Final Review - Second Reviewer - F"

From OWASP
Jump to: navigation, search
Line 31: Line 31:
 
3. Please do use the right hand side column to provide advice and make work suggestions.
 
3. Please do use the right hand side column to provide advice and make work suggestions.
 
  | colspan="2" style="width:75%; background:#cccccc" align="left"|
 
  | colspan="2" style="width:75%; background:#cccccc" align="left"|
A) The offsiteURL regular expression in the policy files could be more restrictive.  Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN.  More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted.  There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
+
The offsiteURL regular expression in the policy files could be more restrictive.  Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN.  More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted.  There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
 
  |-  
 
  |-  
 
  | style="width:25%; background:white" align="center"|'''PART II'''  
 
  | style="width:25%; background:white" align="center"|'''PART II'''  

Revision as of 16:26, 1 October 2008

Clik here to return to the previous page.

FINAL REVIEW
PART I

Project Deliveries & Objectives

OWASP AntiSamy .NET Project's Deliveries & Objectives

QUESTIONS ANSWERS

1. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please exemplify writing down those of them that haven't been realised.

The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

There are also 8 outstanding issues (defects) of Low and Medium priority listed in http://code.google.com/p/owaspantisamy/issues/list none of which affect the .NET version of AntiSamy.

2. At what extent have the project deliveries & objectives been accomplished? Having in consideration the assumed ones, please quantify in terms of percentage.

Overall, AntiSamy.NET is about 70% complete with missing CSS support.

3. Please do use the right hand side column to provide advice and make work suggestions.

The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.

PART II

Assessment Criteria

OWASP Project Assessment Criteria

QUESTIONS ANSWERS

1. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Alpha Quality status?

All project criteria to meet Alpha Quality status have been fulfilled.

2. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Beta Quality status?

AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.

3. Having into consideration the OWASP Project Assessment Methodology which criteria, if any, haven’t been fulfilled in terms of Release Quality status?

AntiSamy.NET has not been analyzed by a source code analysis tool. All 50+ AntiSamy.NET unit tests run have passed. Having been subject to third-party review, all attacks attempted failed to bypass AntiSamy.NET restrictions. More testing should be done using double-encoded attacks and perhaps a second (side) project could be started that contains various attacks to be used for fuzzing applications.

4. Please do use the right hand side column to provide advice and make work suggestions.

It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.