OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Curphey (mark_at_curphey.com)
Date: Sat Sep 21 2002 - 19:13:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ulf, thanks (on behalf of the OWASP-Guide team).
    Version 1.1 will be posted tomorow. A team of hard
    working editors have made countless changes and put
    it into DocBook XML. A release 2 that will include
    lots of new content (language specific) is planned
    before the end of the year.

    Released versions will be in HTML and PDF. No new
    content but a very much better read.

    I'll ask them to send out a mail when its on the
    OWASP site.

    Cheers,

    ---- Ulf Harnhammar <ulfhupdate.uu.se> wrote:
    > Hello,
    >
    > I have finally taken the time to read the OWASP
    Guide, version
    > 1.0. It is great already but not perfect. Here are
    my suggestions
    > for improvement:
    >
    >
    > * page 51
    >
    > [x0a/x0d] New lines for additional command-
    execution
    > >> additional faked mail/HTTP headers, new lines
    in log files <<
    >
    > * page 55
    >
    > It should also be noted that it is not enough to
    just remove all
    > unwanted HTML elements with a function like PHP's
    strip_tags(). Good
    > HTML elements, like <p> or <b>, can execute
    JavaScript code as well,
    > with attributes like onMouseOver. Therefore, you
    both need to check
    > the HTML elements and the HTML attributes.
    >
    > * page 58
    >
    > Some web applications forget to put apostrophes
    around variables,
    > so in those cases, no special characters need to
    be injected to
    > corrupt an SQL statement.
    >
    > * page 60
    >
    > Mitigation techniques talk about the next
    chapter's contents,
    > and not the current chapter's.
    >
    > * page 76
    >
    > *.bak This is dangerous, as some web servers will
    interpret unknown
    > file extensions such as .bak as text/plain. This
    means that an
    > attacker can download those files as text, instead
    of executing them.
    >
    > * page 7
    >
    > Intended audience
    >
    > "dilibertly" -> "deliberately"
    >
    > (if it's not meant to be a pun on the Dilbert
    cartoon)
    >
    > * page 19
    >
    > Fail Securely (Closed)
    >
    > Awkward phrasing here: "further authentication
    requests should be
    > not return"
    >
    > * page 22
    >
    > "The principal at work" -> "The principle"
    >
    > * lots of pages
    >
    > "maybe" -> "may be"
    >
    >
    > I hope that you will incorporate those changes
    into some future
    > version of the guide!
    >
    >
    > // Ulf Harnhammar
    > ulfhupdate.uu.se
    > http://www.metaur.nu/
    >
    >
    >