c# - Security Runtime Engine VS AntiXSS Library -


i see web protection library (wpl) comes 2 different options:

  • security runtime engine (sre)
  • antixss library

the first 1 seems great since no code necessary, it's httpmodule. second requires manually add escaping logic on code.

despite advantage mentioned, sre not popular , i'm wondering why. there known problem library or big advantage of using antixss i'm not seeing?

thanks!

the biggest flaw see in sre looks me reliant on "blacklisting" behavior. example, tries detect sql statements in order provide sql injection protection. blacklisting weak, fact have know potentially harmful input in order provide 100% protection.

http://www.owasp.org/index.php/data_validation#data_validation_strategies

that not don't see value in sre. think looks nice tool have in arsenal, considered additional layer of defense.

the other disadvantage see using library may encourage coders lazy learning how secure applications. relying on individual tool offer protection (or bunch of tools offer protection) foolish @ best. it's easy programmer inadvertently introduce security flaws thwart best of tools. therefore, developer, 1 concerned security not rely on such tool, escaping anyway, rather trusting tool them.

in other words, looks tool use, not @ expense of taking precautions on own. , programmers know how defend against common web attacks smart enough know not rely solely on tool. coding defensively, , if you're protecting against sql injection, adding module same thing seems redundant. venture guess reason lack of popularity.

one other side note functionality provided similar you'd find in web application firewall (waf). it's subject same basic fundamental flaws. nice read on why waf not enough, answers why sre not enough, , why not rely on it.

http://www.acunetix.com/blog/news/implementing-a-web-application-firewall-only-is-not-enough-to-secure-web-applications/


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more