Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Mark Curphey (mark_at_curphey.com)
Date: Sat Sep 21 2002 - 19:13:52 CDT
Ulf, thanks (on behalf of the OWASP-Guide team).
Version 1.1 will be posted tomorow. A team of hard
working editors have made countless changes and put
it into DocBook XML. A release 2 that will include
lots of new content (language specific) is planned
before the end of the year.
Released versions will be in HTML and PDF. No new
content but a very much better read.
I'll ask them to send out a mail when its on the
---- Ulf Harnhammar <ulfhupdate.uu.se> wrote:
> I have finally taken the time to read the OWASP
> 1.0. It is great already but not perfect. Here are
> for improvement:
> * page 51
> [x0a/x0d] New lines for additional command-
> >> additional faked mail/HTTP headers, new lines
in log files <<
> * page 55
> It should also be noted that it is not enough to
just remove all
> unwanted HTML elements with a function like PHP's
> HTML elements, like <p> or <b>, can execute
> with attributes like onMouseOver. Therefore, you
both need to check
> the HTML elements and the HTML attributes.
> * page 58
> Some web applications forget to put apostrophes
> so in those cases, no special characters need to
be injected to
> corrupt an SQL statement.
> * page 60
> Mitigation techniques talk about the next
> and not the current chapter's.
> * page 76
> *.bak This is dangerous, as some web servers will
> file extensions such as .bak as text/plain. This
means that an
> attacker can download those files as text, instead
of executing them.
> * page 7
> Intended audience
> "dilibertly" -> "deliberately"
> (if it's not meant to be a pun on the Dilbert
> * page 19
> Fail Securely (Closed)
> Awkward phrasing here: "further authentication
requests should be
> not return"
> * page 22
> "The principal at work" -> "The principle"
> * lots of pages
> "maybe" -> "may be"
> I hope that you will incorporate those changes
into some future
> version of the guide!
> // Ulf Harnhammar