|
|
| Line 1: |
Line 1: |
| − | Great strides have been made, and the scope of the project has expanded in some respects and been reduced in others. This is due to the inclusion of CSS as a source both valid formatting data and possible malicious code. Consider a user who is incapable of supplying JavaScript but who is capable of supplying CSS. A malicious user could create a div with a positive z-index that overlayed the entire original page in which the div resides. The user could then effect a phishing attack by making the div look like the login page of the container web site's login page.
| + | This project is finished. It was presented and demonstrated at the OWASP Fall 2007 San Jose conference. The project now lives on http://code.google.com/p/owaspantisamy/ |
| − | | |
| − | Although I have gone through W3C's HTML 4.0 specifications and built a strong policy file that only accepts valid HTML, the file will not be complete until CSS can be validated appropriately. Jason Li has been enlisted to help tackle the problem of CSS, both in the XML policy file and in the application. This is essentially the only remaining engineering work, since the validator is already built.
| |
| − | | |
| − | Also, a technical paper (with academic undertones) has been written to justify and explain the position of the API. The paper will is essentially complete, but still awaits the inclusion of some performance testing results.
| |
| − | | |
| − | Overall, I'd say the project is 60% finished.
| |
Latest revision as of 05:48, 17 November 2007
This project is finished. It was presented and demonstrated at the OWASP Fall 2007 San Jose conference. The project now lives on http://code.google.com/p/owaspantisamy/
