Survey

[jim at manico.net (Jim Manico)]

How does xHTML help stop access control vulnerabilities? Authorization
issues? CSRF problems?

And who is to say that an attacker cannot still do server side injection
(sql injection, ldap injection) or timing attacks?

I'm just getting started. xHTML is only one tiny piece of the outbound
encoding problem.

Hey, while we are at it - who is to say that someone mounting a MITM
attack could not modify/corrupt data and still be (woo ho) xHTML valid?

- Jim
> Hi Jim,
>
> " There are plenty of sites that are perfectly x/html valid that are
> completely insecure."
>
> Well, perhaps too many people have been listening to this drumbeat:
> "In fact, a non-developer: such as someone in marketing who uses
> Dreamweaver, could also do almost as much as a normal WAF by saving
> their content as valid XHTML. This would buy the organization basic
> application security functionality, which is what WAF also attempts to
> do."
>
> http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
>
> I rest my case.
> Stephen
>
> On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <jim at manico.net
> <mailto:jim at manico.net>> wrote:
>
>     There are plenty of sites that are perfectly x/html valid that are
>     completely insecure.
>
>     There are plenty of sites that follow perfect w3c and other
>     standards that are completely insecure.
>
>     There are plenty of sites that are top-tier security vendors that,
>     at least in the past, have been insecure.
>
>     - Jim
>
>
> >     At 11:11 AM -0400 8/24/08, Paco Hope wrote:
> >
> >       
> > >     Clearly the survey's content is only of interest if the HTML validates.
> > >         
> >     The publisher of the web page is not in the security business,
> >     they are in the publishing business.  But how can I respect
> >     their publishing expertise if they fail a simple automatic
> >     test.
> >
> >     And how can their target audience of security folk, who depend
> >     strongly on following standards respect the knowledge of a
> >     publisher who does not follow publishing standards.
> >
> >       
> > >     On Aug 24, 2008, at 9:47 AM, "ljknews" <ljknews at mac.com> <mailto:ljknews at mac.com> wrote:
> > >
> > >         
> > > >     At 2:43 PM -0400 8/22/08, Gary McGraw wrote:
> > > >
> > > >           
> > > > >     BankInfoSecurity is running a survey on software security that some
> > > > >     of you may be interested in participating in.  Try it yourself here:
> > > > >
> > > > >     http://www.bankinfosecurity.com/surveys.php?surveyID=1
> > > > >             
> > > >     Hmmm.  http://validator.w3.org says there are 973 errors on that page.
> > > >           
>
>
>     -- 
>     Jim Manico, Senior Application Security Engineer
>     jim.manico at aspectsecurity.com <mailto:jim.manico at aspectsecurity.com> | jim at manico.net <mailto:jim at 
> manico.net>
>     (301) 604-4882 (work)
>     (808) 652-3805 (cell)
>
>     Aspect Security?
>     Securing your applications at the source
>     http://www.aspectsecurity.com
>
>     ---------------------------------------------------------------
>     Management, Developers, Security Professionals ...
>     ... can only result in one thing. BETTER SECURITY.
>     http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  
>     Sept 22nd-25th 2008
>
>         
>
>
>     _______________________________________________
>     Secure Coding mailing list (SC-L) SC-L at securecoding.org
>     <mailto:SC-L at securecoding.org>
>     List information, subscriptions, etc -
>     http://krvw.com/mailman/listinfo/sc-l
>     List charter available at -
>     http://www.securecoding.org/list/charter.php
>     SC-L is hosted and moderated by KRvW Associates, LLC
>     (http://www.KRvW.com)
>     as a free, non-commercial service to the software security community.
>     _______________________________________________


-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security?
Securing your applications at the source
http://www.aspectsecurity.com

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  
Sept 22nd-25th 2008


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080826/58fc08c1/attachment.html