How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems?
And who is to say that an attacker cannot still do server side injection (sql injection, ldap injection) or timing attacks? I'm just getting started. xHTML is only one tiny piece of the outbound encoding problem. Hey, while we are at it - who is to say that someone mounting a MITM attack could not modify/corrupt data and still be (woo ho) xHTML valid? - Jim > > Hi Jim, > > " There are plenty of sites that are perfectly x/html valid that are > completely insecure." > > Well, perhaps too many people have been listening to this drumbeat: > "In fact, a non-developer: such as someone in marketing who uses > Dreamweaver, could also do almost as much as a normal WAF by saving > their content as valid XHTML. This would buy the organization basic > application security functionality, which is what WAF also attempts to > do." > > http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/ > > I rest my case. > Stephen > > On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > There are plenty of sites that are perfectly x/html valid that are > completely insecure. > > There are plenty of sites that follow perfect w3c and other > standards that are completely insecure. > > There are plenty of sites that are top-tier security vendors that, > at least in the past, have been insecure. > > - Jim > > >> At 11:11 AM -0400 8/24/08, Paco Hope wrote: >> >> >>> Clearly the survey's content is only of interest if the HTML validates. >>> >> The publisher of the web page is not in the security business, >> they are in the publishing business. But how can I respect >> their publishing expertise if they fail a simple automatic >> test. >> >> And how can their target audience of security folk, who depend >> strongly on following standards respect the knowledge of a >> publisher who does not follow publishing standards. >> >> >>> On Aug 24, 2008, at 9:47 AM, "ljknews" <[EMAIL PROTECTED]> >>> <mailto:[EMAIL PROTECTED]> wrote: >>> >>> >>>> At 2:43 PM -0400 8/22/08, Gary McGraw wrote: >>>> >>>> >>>>> BankInfoSecurity is running a survey on software security that some >>>>> of you may be interested in participating in. Try it yourself here: >>>>> >>>>> http://www.bankinfosecurity.com/surveys.php?surveyID=1 >>>>> >>>> Hmmm. http://validator.w3.org says there are 973 errors on that page. >>>> > > > -- > Jim Manico, Senior Application Security Engineer > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> | [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > (301) 604-4882 (work) > (808) 652-3805 (cell) > > Aspect Security™ > Securing your applications at the source > http://www.aspectsecurity.com > > --------------------------------------------------------------- > Management, Developers, Security Professionals ... > ... can only result in one thing. BETTER SECURITY. > http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference > Sept 22nd-25th 2008 > > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > <mailto:SC-L@securecoding.org> > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
