Survey

[jim at manico.net (Jim Manico)]

Making a very complex Ajax rich-client web applications perfectly xHTML
valid is not easy. Most of the enterprise world goes way beyond simple
flat file xHTML. Add in (the real reality of) highly database-drive
dynamically generated javascript/ajax heavy pages, and I continue to
conjecture that perfect xHTML is not only not that important but very
difficult to accomplish. Or at least it's not "simple" as you state below.

Heck, who is to say that you can't accomplish XSS or other client-side
attacks and still be xHTML compliant?

I think you would go a lot further in securing your apps if you got
programmers to html entity encode output data, actually do access
control right, encode data on the server side to prevent injection
attacks, etc.

Sure the WAF world would like xHTML - but we do not live in a perfect
world. Most sites are not xHTML compliant in the enterprise.

- Jim

> At 9:12 AM -1000 8/26/08, Jim Manico wrote:
>
>   
> > How does xHTML help stop access control vulnerabilities?
> >  Authorization issues? CSRF problems?
> >     
>
> It is indicative of the caliber of the people who built
> the site.
>
> My immediate interest is that validation combats browser crashes.
>
> I am not interested in dealing with people who cannot get
> the simple things right.
>   


-- 
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security?
Securing your applications at the source
http://www.aspectsecurity.com

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  
Sept 22nd-25th 2008


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080826/4a400937/attachment.html