SpoC 007 - OWASP The Anti-Samy Project
AoC Candidate: Arshan Dabirsiaghi
Project coordinator: Jeff Williams
Project Progress: 60% Complete, Progress Page
Arshan Dabirsiaghi - OWASP The Anti-Samy Project
My name is Arshan Dabirsiaghi and I am a 25 year old security consultant. I want to open the door for web sites to allow users to supply their own HTML without exposing them to cross-site scripting attacks.
B.S., M.S. in Computer Science (focus on Information Security)
2.5 years security engineer/consultant experience
4 years of web and systems development
8 years of security hobbying
Many sites today would enjoy the ability to allow users to provide their own HTML in order to customize their page layout and general user experience. Because of the concerns regarding XSS, it is generally thought of as 'too dangerous' to allow them to input any HTML at all. Sites like MySpace who have been brave enough to provide this functionality have no standardized, proven solution to validate user HTML. In many cases, it's easier to disallow everything that looks HTML or to output encode all user input. Not coincidentally, those sites have been the targets of complex attacks. Many sites today don't offer this type of functionality because of concerns for XSS and dangerous HTML.
The second goal is to create a software library (versions in both .Net and J2EE) that can accomplish the following goals:
- provide these capabilities even when dealing with realistically dirty HTML
- build on the mountain of research available for parsing broken HTML
- provide feedback information to the user to help them tune their source to fall within acceptable values
- provide these capabilities in an API that's simple and portable
- utilize an XML engine file that can be used in various language implementations (.Net/J2EE/PHP)
I envision the project requiring 3 man-months, with a few milestones to be established at reasonable intervals, such as:
- 3 months out: Begin browser/W3C survey.
- 2 months out: Finish survey and begin development of API.
- 1 month out: Complete initial API in both Java and .Net
- Near release: Perform intense QA on API, fix any remaining bugs.
Long Term Vision